From owner-freebsd-hackers@freebsd.org  Wed Jan 29 23:52:10 2020
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3C8341FC779
 for <freebsd-hackers@mailman.nyi.freebsd.org>;
 Wed, 29 Jan 2020 23:52:10 +0000 (UTC) (envelope-from jhs@berklix.com)
Received: from slim.berklix.org (slim.berklix.org [94.185.90.68])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "slim.berklix.org", Issuer "slim.berklix.org" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 487Kyx3zLHz4NK7
 for <freebsd-hackers@freebsd.org>; Wed, 29 Jan 2020 23:52:09 +0000 (UTC)
 (envelope-from jhs@berklix.com)
Received: from mart.js.berklix.net (p5DDB7B97.dip0.t-ipconnect.de
 [93.219.123.151]) (authenticated bits=128)
 by slim.berklix.org (8.15.2/8.15.2) with ESMTPSA id 00TNpxQA094051
 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
 Thu, 30 Jan 2020 00:52:06 +0100 (CET) (envelope-from jhs@berklix.com)
Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41])
 by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id 00TNpwpH081361;
 Thu, 30 Jan 2020 00:51:58 +0100 (CET) (envelope-from jhs@berklix.com)
Received: from fire.js.berklix.net (localhost [127.0.0.1])
 by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id 00TNpcBP019156;
 Thu, 30 Jan 2020 00:51:48 +0100 (CET) (envelope-from jhs@berklix.com)
Message-Id: <202001292351.00TNpcBP019156@fire.js.berklix.net>
cc: "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net>
cc: Gordon Bergling <gbergling@googlemail.com>
To: freebsd-hackers@freebsd.org
Subject: Re: More secure permissions for /root and /etc/sysctl.conf
From: "Julian H. Stacey" <jhs@berklix.com>
Organization: http://berklix.com/jhs  http://stolenvotes.uk
User-agent: EXMH on FreeBSD http://berklix.com/free/
X-From: http://www.berklix.org/~jhs/
In-reply-to: Your message "Wed, 29 Jan 2020 13:34:38 -0800."
 <202001292134.00TLYce8066112@gndrsh.dnsmgr.net>
Date: Thu, 30 Jan 2020 00:51:38 +0100
X-Rspamd-Queue-Id: 487Kyx3zLHz4NK7
X-Spamd-Bar: ++
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=none (mx1.freebsd.org: domain of jhs@berklix.com has no SPF policy when
 checking 94.185.90.68) smtp.mailfrom=jhs@berklix.com
X-Spamd-Result: default: False [2.93 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[];
 RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[];
 MULTIPLE_UNIQUE_HEADERS(0.70)[Cc];
 MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[];
 DMARC_NA(0.00)[berklix.com]; AUTH_NA(1.00)[];
 NEURAL_SPAM_MEDIUM(0.69)[0.686,0]; HAS_ORG_HEADER(0.00)[];
 RCVD_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 NEURAL_SPAM_LONG(0.64)[0.642,0];
 RCVD_IN_DNSWL_NONE(0.00)[68.90.185.94.list.dnswl.org : 127.0.10.0];
 R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:33824, ipnet:94.185.88.0/22, country:DE];
 FREEMAIL_CC(0.00)[googlemail.com];
 IP_SCORE(0.00)[ip: (0.03), ipnet: 94.185.88.0/22(0.01), asn: 33824(-0.01),
 country: DE(-0.02)]; 
 RECEIVED_SPAMHAUS_PBL(0.00)[151.123.219.93.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net
 : 127.0.0.10]
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jan 2020 23:52:10 -0000

"Rodney W. Grimes" wrote:
> > Hi,
> > 
> > I recently stumbled upon the default world readable permissons of /root and 
> > /etc/sysctl.conf. I think that it would be more secure to reduce the default
> > permission for /root to 0700 and to 0600 for /etc/sysctl.conf.
> 
> Those values are over kill, you really want to stop group wheel from
> reading these?  At most they should be 0750 and 0640, and even that
> seems overboard.
> 
> If your stroring highly secure stuff in /root your probably doing some
> thing wrong anyway.
> 
> This appears to be security through obscurity based conservatism with
> no given attack vector of some form.
> 
> Others have made good points as well.  This also appears to be changing
> a default that would lead to many people unchanging it simply so a few
> that do change it can impose there defaults.
> 
> 
> > 
> > I prepared a differtial for the proposed change:
> > https://reviews.freebsd.org/D23392
> > 
> > What do you think?
> 
> Bad idea?

Agreed, too tight. Over tightening tempts local fast reflex loosening by
installers, with risk of over loosening if in a rush.  

Cheers
--
Julian Stacey, Consultant Systems Engineer, BSD Linux http://berklix.com/jhs/
UK stole 750,000 Brexit votes from Brits in EU + 3 M globaly.  170 states vote
abroad.  UK urged Brits in EU to foreign nationality  http://stolenvotes.uk