Date: Fri, 31 Jan 2020 19:17:00 +0100 From: Steffen Nurpmeso <steffen@sdaoden.eu> To: Lars Engels <lme@freebsd.org> Cc: "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net>, FreeBSD Hackers <freebsd-hackers@freebsd.org>, Gordon Bergling <gbergling@googlemail.com>, Ryan Stone <rysto32@gmail.com>, Wojciech Puchar <wojtek@puchar.net> Subject: Re: More secure permissions for /root and /etc/sysctl.conf Message-ID: <20200131181700.Sn-C1%steffen@sdaoden.eu> In-Reply-To: <20200131161347.GA33086@e.0x20.net> References: <alpine.BSF.2.20.2001310910280.59314@puchar.net> <202001311025.00VAPZts072995@gndrsh.dnsmgr.net> <20200131161347.GA33086@e.0x20.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Lars Engels wrote in <20200131161347.GA33086@e.0x20.net>: |On Fri, Jan 31, 2020 at 02:25:35AM -0800, Rodney W. Grimes wrote: |>>>>> I don't see the point in making this change to sysctl.conf. sysctls |>>>>> are readable by any user. Hiding the contents of sysctl.conf \ |>>>>> does not |>>>>> prevent unprivileged users from seeing what values have been changed |>>>>> from the defaults; it merely makes it more tedious. |>>>> true. but /root should be root only readable |>>> |>>> Based on what? What security does this provide to what part of \ |>>> the system? |>> based on common sense |> |> Who's common sense, as mine and some others say this is an unneeded |> change with no technical merit. |> |> You have provided no technical reasons for your requested change, |> yet others have presented technical reasons to not make it, |> so to try and base a support position on "common sense" is kinda moot. |> |> We actually discussed this at dinner tonight and no one could come up |> with a good reason to lock /root down in such a manner unless someone |> was storing stuff in /root that should probably not really be stored |> there. Ie, there is a bigger problem than chmod 750 /root is going to |> fix. | |/root can store config files and shell history with confidential |information. Absolutely. My own /root is in fact shared in between many systems, and many scripts from /etc/ reach into /root/$HOSTNAME/, with some generics in /root/. Practically all of that is Linux though. But it is very nice, since i can share very, very much, and even the hostname= comes from kernel command line parameter, and multiplexes to entirely different setups. efibootmgr is cool, by the way. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200131181700.Sn-C1%steffen>