Date: Fri, 5 Jun 2020 07:03:53 -0700 (PDT) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: Alexey Dokuchaev <danfe@freebsd.org> Cc: Cy Schubert <Cy.Schubert@cschubert.com>, Conrad Meyer <cem@freebsd.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r361791 - head/etc/mtree Message-ID: <202006051403.055E3rDO030893@gndrsh.dnsmgr.net> In-Reply-To: <20200605071240.GA98879@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Thu, Jun 04, 2020 at 09:19:35AM -0700, Cy Schubert wrote: > > In message <202006041604.054G4KAb098395@repo.freebsd.org>, Conrad Meyer > > writes: > > > New Revision: 361791 > > > URL: https://svnweb.freebsd.org/changeset/base/361791 > > > > > > Log: > > > Restrict default /root permissions > > > > > > ... > > > @@ -117,7 +117,7 @@ > > > .. > > > rescue > > > .. > > > - root > > > + root mode=0750 > > > .. > > > > Recent CIS benchmarks recommend 0700. Can you provide a pointer, I would like to understand how they came to the conclusing that 0700 is more secuire than 0750. I can only think of one situation, in which a member of group wheel does not know the password for root. > > Please, let's keep a reasonable balance between security and usability. > I often visit /root as a regular user (wheel'ed), and 0700 would make > it real PITA. IIRC there is a review and long discussion on this already... > ./danfe -- Rod Grimes rgrimes@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202006051403.055E3rDO030893>