Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 04 Jun 2020 09:19:35 -0700
From:      Cy Schubert <Cy.Schubert@cschubert.com>
To:        Conrad Meyer <cem@FreeBSD.org>
Cc:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   Re: svn commit: r361791 - head/etc/mtree
Message-ID:  <202006041619.054GJZ3C018924@slippy.cwsent.com>
In-Reply-To: <202006041604.054G4KAb098395@repo.freebsd.org>
References:  <202006041604.054G4KAb098395@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
In message <202006041604.054G4KAb098395@repo.freebsd.org>, Conrad Meyer 
writes:
> Author: cem
> Date: Thu Jun  4 16:04:19 2020
> New Revision: 361791
> URL: https://svnweb.freebsd.org/changeset/base/361791
>
> Log:
>   Restrict default /root permissions
>   
>   Remove world-readability from the root directory.  Sensitive information ma
> y be
>   stored in /root and we diverge here from normative administrative practice,
>  as
>   well as installation defaults of other Unix-alikes.  The wheel group is sti
> ll
>   permitted to read the directory.
>   
>   750 is no more restrictive than defaults for the rest of the open source
>   Unix-alike world.  In particular, Ben Woods surveyed DragonFly, NetBSD,
>   OpenBSD, ArchLinux, CentOS, Debian, Fedora, Slackware, and Ubuntu.  None ha
> ve a
>   world-readable /root by default.
>   
>   Submitted by:	Gordon Bergling <gbergling AT gmail.com>
>   Reviewed by:	ian, myself
>   Discussed with:	emaste (informal approval)
>   Relnotes:	sure?
>   Differential Revision:	https://reviews.freebsd.org/D23392
>
> Modified:
>   head/etc/mtree/BSD.root.dist
>
> Modified: head/etc/mtree/BSD.root.dist
> =============================================================================
> =
> --- head/etc/mtree/BSD.root.dist	Thu Jun  4 14:44:44 2020	(r36179
> 0)
> +++ head/etc/mtree/BSD.root.dist	Thu Jun  4 16:04:19 2020	(r36179
> 1)
> @@ -117,7 +117,7 @@
>      ..
>      rescue
>      ..
> -    root
> +    root            mode=0750
>      ..
>      sbin
>      ..
>


Recent CIS benchmarks recommend 0700.


-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy@nwtime.org>    Web:  https://nwtime.org

	The need of the many outweighs the greed of the few.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202006041619.054GJZ3C018924>