From owner-svn-src-head@freebsd.org Thu Jun 4 16:19:42 2020 Return-Path: Delivered-To: svn-src-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1F55F328AE4; Thu, 4 Jun 2020 16:19:42 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from smtp-out-so.shaw.ca (smtp-out-so.shaw.ca [64.59.136.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 49d9wF3cHKz4CW6; Thu, 4 Jun 2020 16:19:41 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from spqr.komquats.com ([70.67.125.17]) by shaw.ca with ESMTPA id gsaejgtrsYYpxgsagjGMTS; Thu, 04 Jun 2020 10:19:39 -0600 X-Authority-Analysis: v=2.3 cv=OubUNx3t c=1 sm=1 tr=0 a=VFtTW3WuZNDh6VkGe7fA3g==:117 a=VFtTW3WuZNDh6VkGe7fA3g==:17 a=xqWC_Br6kY4A:10 a=kj9zAlcOel0A:10 a=nTHF0DUjJn0A:10 a=6I5d2MoRAAAA:8 a=pGLkceISAAAA:8 a=YxBL1-UpAAAA:8 a=EkcXrb_YAAAA:8 a=G3puiCzhEVrEPl4KyZUA:9 a=CjuIK1q_8ugA:10 a=IjZwj45LgO3ly-622nXo:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=LK5xJRSDVpKd5WXXoEvA:22 Received: from slippy.cwsent.com (slippy [IPv6:fc00:1:1:1::5b]) by spqr.komquats.com (Postfix) with ESMTPS id 40BF2247; Thu, 4 Jun 2020 09:19:36 -0700 (PDT) Received: from slippy.cwsent.com (localhost [127.0.0.1]) by slippy.cwsent.com (8.15.2/8.15.2) with ESMTP id 054GJZYC018927; Thu, 4 Jun 2020 09:19:35 -0700 (PDT) (envelope-from Cy.Schubert@cschubert.com) Received: from slippy (cy@localhost) by slippy.cwsent.com (8.15.2/8.15.2/Submit) with ESMTP id 054GJZ3C018924; Thu, 4 Jun 2020 09:19:35 -0700 (PDT) (envelope-from Cy.Schubert@cschubert.com) Message-Id: <202006041619.054GJZ3C018924@slippy.cwsent.com> X-Authentication-Warning: slippy.cwsent.com: cy owned process doing -bs X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.7.1 Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Conrad Meyer cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r361791 - head/etc/mtree In-reply-to: <202006041604.054G4KAb098395@repo.freebsd.org> References: <202006041604.054G4KAb098395@repo.freebsd.org> Comments: In-reply-to Conrad Meyer message dated "Thu, 04 Jun 2020 16:04:20 -0000." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 04 Jun 2020 09:19:35 -0700 X-CMAE-Envelope: MS4wfGK6gJONCI2Ry4EYscbQcvy+ZRcGOK/q/ZmGrFcusVkFWSEELVTwWgGj1S95CHpc19RIFStYq/ne3GkyZY2iWq+KvCvdRB3hxLh51c3nq7VBw4+NNPN5 I6cCx+W3ppLgdHFShNpctUiUg2K1BDeAAxhFeIGQg2xuC6jK/VkOzXZmr/n/OpMp16iIOasykbn+LTx2hSuLh7lxZdLuZnoXY4aAY2HCpUf/CelgxKNPzNTr tE5/TY+3XpZ1+MqytEEmHQEwwpXSB51SMWiZ9hedUQYIfov2KRIfZf52SW6/uFmt X-Rspamd-Queue-Id: 49d9wF3cHKz4CW6 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:6327, ipnet:64.59.128.0/20, country:CA] X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jun 2020 16:19:42 -0000 In message <202006041604.054G4KAb098395@repo.freebsd.org>, Conrad Meyer writes: > Author: cem > Date: Thu Jun 4 16:04:19 2020 > New Revision: 361791 > URL: https://svnweb.freebsd.org/changeset/base/361791 > > Log: > Restrict default /root permissions > > Remove world-readability from the root directory. Sensitive information ma > y be > stored in /root and we diverge here from normative administrative practice, > as > well as installation defaults of other Unix-alikes. The wheel group is sti > ll > permitted to read the directory. > > 750 is no more restrictive than defaults for the rest of the open source > Unix-alike world. In particular, Ben Woods surveyed DragonFly, NetBSD, > OpenBSD, ArchLinux, CentOS, Debian, Fedora, Slackware, and Ubuntu. None ha > ve a > world-readable /root by default. > > Submitted by: Gordon Bergling > Reviewed by: ian, myself > Discussed with: emaste (informal approval) > Relnotes: sure? > Differential Revision: https://reviews.freebsd.org/D23392 > > Modified: > head/etc/mtree/BSD.root.dist > > Modified: head/etc/mtree/BSD.root.dist > ============================================================================= > = > --- head/etc/mtree/BSD.root.dist Thu Jun 4 14:44:44 2020 (r36179 > 0) > +++ head/etc/mtree/BSD.root.dist Thu Jun 4 16:04:19 2020 (r36179 > 1) > @@ -117,7 +117,7 @@ > .. > rescue > .. > - root > + root mode=0750 > .. > sbin > .. > Recent CIS benchmarks recommend 0700. -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org The need of the many outweighs the greed of the few.