From owner-freebsd-hackers@freebsd.org  Fri Jan 31 08:10:54 2020
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9B095237B5A
 for <freebsd-hackers@mailman.nyi.freebsd.org>;
 Fri, 31 Jan 2020 08:10:54 +0000 (UTC)
 (envelope-from wojtek@puchar.net)
Received: from puchar.net (puchar.net [194.1.144.90])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4888zx1ykhz4GCs
 for <freebsd-hackers@freebsd.org>; Fri, 31 Jan 2020 08:10:52 +0000 (UTC)
 (envelope-from wojtek@puchar.net)
Received: Received: from 127.0.0.1 (localhost [127.0.0.1])
 by puchar.net (8.15.2/8.15.2) with ESMTPS id 00V8Akdb059486
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Fri, 31 Jan 2020 09:10:47 +0100 (CET)
 (envelope-from puchar-wojtek@puchar.net)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=puchar.net;
 s=default; t=1580458247;
 bh=ojTuzh1TtTZoVQOIhSVZHjZw74sKR6Mpv8+EI7k2NpE=;
 h=Date:From:To:cc:Subject:In-Reply-To:References;
 b=quwhyLbAlXCJ0mzTQ7vttcyf/Wg5RCDe6BOoQILlVU2jVKgmJqjdLQgWJ4jdpQ75D
 0IdnDYm074meOv1pzrZHcPhzVp1fzPS3xebFvtUjxtu7eLuD74M0UJUwLje9KQuOmz
 dcNhFVtr2bFRYwZuKTifmbGdXCtVqpzI3uXg6nn0=
Received: from localhost (puchar-wojtek@localhost)
 by puchar.net (8.15.2/8.15.2/Submit) with ESMTP id 00V8AkDn059483;
 Fri, 31 Jan 2020 09:10:46 +0100 (CET)
 (envelope-from puchar-wojtek@puchar.net)
Date: Fri, 31 Jan 2020 09:10:46 +0100 (CET)
From: Wojciech Puchar <wojtek@puchar.net>
To: "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net>
cc: Wojciech Puchar <wojtek@puchar.net>,
 FreeBSD Hackers <freebsd-hackers@freebsd.org>,
 Gordon Bergling <gbergling@googlemail.com>, Ryan Stone <rysto32@gmail.com>
Subject: Re: More secure permissions for /root and /etc/sysctl.conf
In-Reply-To: <202001302119.00ULJn4Q070746@gndrsh.dnsmgr.net>
Message-ID: <alpine.BSF.2.20.2001310910280.59314@puchar.net>
References: <202001302119.00ULJn4Q070746@gndrsh.dnsmgr.net>
User-Agent: Alpine 2.20 (BSF 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
X-Rspamd-Queue-Id: 4888zx1ykhz4GCs
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org;
 dkim=fail (rsa verify failed) header.d=puchar.net header.s=default
 header.b=quwhyLbA; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of wojtek@puchar.net designates 194.1.144.90
 as permitted sender) smtp.mailfrom=wojtek@puchar.net
X-Spamd-Result: default: False [-3.88 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; FROM_HAS_DN(0.00)[];
 R_SPF_ALLOW(-0.20)[+mx];
 R_DKIM_REJECT(1.00)[puchar.net:s=default];
 MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[puchar.net];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCPT_COUNT_FIVE(0.00)[5];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[];
 DKIM_TRACE(0.00)[puchar.net:-];
 RCVD_IN_DNSWL_NONE(0.00)[90.144.1.194.list.dnswl.org : 127.0.10.0];
 IP_SCORE(-2.59)[ip: (-6.84), ipnet: 194.1.144.0/24(-3.42), asn: 43476(-2.73),
 country: PL(0.07)]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[];
 ASN(0.00)[asn:43476, ipnet:194.1.144.0/24, country:PL];
 MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jan 2020 08:10:54 -0000

>>> I don't see the point in making this change to sysctl.conf.  sysctls
>>> are readable by any user.  Hiding the contents of sysctl.conf does not
>>> prevent unprivileged users from seeing what values have been changed
>>> from the defaults; it merely makes it more tedious.
>> true. but /root should be root only readable
>
> Based on what?  What security does this provide to what part of the system?
based on common sense