From owner-freebsd-hackers@freebsd.org Thu Jan 30 15:31:09 2020 Return-Path: Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 39B6C23C94B for ; Thu, 30 Jan 2020 15:31:09 +0000 (UTC) (envelope-from drosih@rpi.edu) Received: from smtp10.server.rpi.edu (smtp10.server.rpi.edu [128.113.2.230]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "canit.localdomain", Issuer "canit.localdomain" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 487kpN4GRxz4FY9 for ; Thu, 30 Jan 2020 15:31:08 +0000 (UTC) (envelope-from drosih@rpi.edu) Received: from smtp-auth2.server.rpi.edu (route.canit.rpi.edu [128.113.2.232]) by smtp10.server.rpi.edu (8.14.4/8.14.4/Debian-8+deb8u2) with ESMTP id 00UFV5Qe054818 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 30 Jan 2020 10:31:05 -0500 Received: from smtp-auth2.server.rpi.edu (localhost [127.0.0.1]) by smtp-auth2.server.rpi.edu (Postfix) with ESMTP id D50371A090; Thu, 30 Jan 2020 10:31:04 -0500 (EST) Received: from [172.16.67.1] (gilead-qc124.netel.rpi.edu [128.113.124.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: drosih) by smtp-auth2.server.rpi.edu (Postfix) with ESMTPSA id C40541A089; Thu, 30 Jan 2020 10:31:04 -0500 (EST) From: "Garance A Drosehn" To: "Gordon Bergling" Cc: freebsd-hackers@freebsd.org Subject: Re: More secure permissions for /root and /etc/sysctl.conf Date: Thu, 30 Jan 2020 10:31:03 -0500 X-Mailer: MailMate (1.13.1r5671) Message-ID: <5DBC355C-0F87-4536-B418-A570504D2FD5@rpi.edu> In-Reply-To: <20200129092631.GA22505@lion.0xfce3.net> References: <20200129092631.GA22505@lion.0xfce3.net> MIME-Version: 1.0 Content-Type: text/plain; format=flowed X-Virus-Scanned: ClamAV using ClamSMTP X-Bayes-Prob: 0.0001 (Score 0, tokens from: outgoing, @@RPTN) X-Spam-Score: 0.00 () [Hold at 10.10] X-CanIt-Incident-Id: 031UDv5PF X-CanIt-Geo: ip=128.113.124.17; country=US; latitude=37.7510; longitude=-97.8220; http://maps.google.com/maps?q=37.7510,-97.8220&z=6 X-CanItPRO-Stream: outgoing X-Canit-Stats-ID: Bayes signature not available X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.113.2.230 X-Rspamd-Queue-Id: 487kpN4GRxz4FY9 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=none) header.from=rpi.edu; spf=pass (mx1.freebsd.org: domain of drosih@rpi.edu designates 128.113.2.230 as permitted sender) smtp.mailfrom=drosih@rpi.edu X-Spamd-Result: default: False [-4.78 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:128.113.2.225/28]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_MED(-0.20)[230.2.113.128.list.dnswl.org : 127.0.11.2]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[rpi.edu,none]; IP_SCORE(-1.78)[ipnet: 128.113.0.0/16(-4.91), asn: 91(-3.93), country: US(-0.05)]; FREEMAIL_TO(0.00)[googlemail.com]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:91, ipnet:128.113.0.0/16, country:US]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jan 2020 15:31:09 -0000 On 29 Jan 2020, at 4:26, Gordon Bergling via freebsd-hackers wrote: > Hi, > > I recently stumbled upon the default world readable permissons of > /root and > /etc/sysctl.conf. I think that it would be more secure to reduce the > default > permission for /root to 0700 and to 0600 for /etc/sysctl.conf. > > I prepared a differtial for the proposed change: > https://reviews.freebsd.org/D23392 > > What do you think? I wouldn't change /etc/sysctl.conf. If others think it should be changed then I wouldn't object, but I think the permissions are fine as they are. I do think that userid root's home directory does not need to be RX for others, but it seems fine to me if it is RX for group wheel. If you can't trust the users who you have added to group 'wheel', then you've got many other issues to worry about. On my own machines, I usually do change the permissions of /root to be 750, although I see that I forgot to do that on the two new servers that I built just last month! -- Garance Alistair Drosehn = drosih@rpi.edu Lead Developer @rpi and gad@FreeBSD.org Rensselaer Polytechnic Institute; Troy, NY; USA