From owner-freebsd-hackers@freebsd.org  Thu Jan 30 21:19:54 2020
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 867661FF7A8
 for <freebsd-hackers@mailman.nyi.freebsd.org>;
 Thu, 30 Jan 2020 21:19:54 +0000 (UTC)
 (envelope-from freebsd-rwg@gndrsh.dnsmgr.net)
Received: from gndrsh.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 487tXn4Fyjz3CHD
 for <freebsd-hackers@freebsd.org>; Thu, 30 Jan 2020 21:19:53 +0000 (UTC)
 (envelope-from freebsd-rwg@gndrsh.dnsmgr.net)
Received: from gndrsh.dnsmgr.net (localhost [127.0.0.1])
 by gndrsh.dnsmgr.net (8.13.3/8.13.3) with ESMTP id 00ULJn68070747;
 Thu, 30 Jan 2020 13:19:49 -0800 (PST)
 (envelope-from freebsd-rwg@gndrsh.dnsmgr.net)
Received: (from freebsd-rwg@localhost)
 by gndrsh.dnsmgr.net (8.13.3/8.13.3/Submit) id 00ULJn4Q070746;
 Thu, 30 Jan 2020 13:19:49 -0800 (PST) (envelope-from freebsd-rwg)
From: "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net>
Message-Id: <202001302119.00ULJn4Q070746@gndrsh.dnsmgr.net>
Subject: Re: More secure permissions for /root and /etc/sysctl.conf
In-Reply-To: <alpine.BSF.2.20.2001301035500.32668@puchar.net>
To: Wojciech Puchar <wojtek@puchar.net>
Date: Thu, 30 Jan 2020 13:19:49 -0800 (PST)
CC: Ryan Stone <rysto32@gmail.com>,
 FreeBSD Hackers <freebsd-hackers@freebsd.org>,
 Gordon Bergling <gbergling@googlemail.com>
X-Mailer: ELM [version 2.4ME+ PL121h (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
X-Rspamd-Queue-Id: 487tXn4Fyjz3CHD
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=none (mx1.freebsd.org: domain of freebsd-rwg@gndrsh.dnsmgr.net has no SPF
 policy when checking 69.59.192.140)
 smtp.mailfrom=freebsd-rwg@gndrsh.dnsmgr.net
X-Spamd-Result: default: False [0.42 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-0.50)[-0.500,0]; FROM_HAS_DN(0.00)[];
 RCPT_COUNT_THREE(0.00)[4];
 IP_SCORE(0.03)[ip: (0.13), ipnet: 69.59.192.0/19(0.07), asn: 13868(0.02),
 country: US(-0.05)]; MIME_GOOD(-0.10)[text/plain];
 RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[dnsmgr.net];
 AUTH_NA(1.00)[]; NEURAL_HAM_LONG(-0.02)[-0.019,0];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[];
 R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:13868, ipnet:69.59.192.0/19, country:US];
 FREEMAIL_CC(0.00)[gmail.com]; MID_RHS_MATCH_FROM(0.00)[];
 RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jan 2020 21:19:54 -0000

> 
> 
> On Wed, 29 Jan 2020, Ryan Stone wrote:
> 
> > On Wed, Jan 29, 2020 at 4:26 AM Gordon Bergling via freebsd-hackers
> > <freebsd-hackers@freebsd.org> wrote:
> >>
> >> Hi,
> >>
> >> I recently stumbled upon the default world readable permissons of /root and
> >> /etc/sysctl.conf. I think that it would be more secure to reduce the default
> >> permission for /root to 0700 and to 0600 for /etc/sysctl.conf.
> >
> > I don't see the point in making this change to sysctl.conf.  sysctls
> > are readable by any user.  Hiding the contents of sysctl.conf does not
> > prevent unprivileged users from seeing what values have been changed
> > from the defaults; it merely makes it more tedious.
> true. but /root should be root only readable

Based on what?  What security does this provide to what part of the system?
Why should it not also be group wheel readable?
Why should a member of wheel have to su to ls /root?

-- 
Rod Grimes                                                 rgrimes@freebsd.org