From owner-freebsd-hackers@freebsd.org Fri Jan 31 21:47:01 2020 Return-Path: Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 145C81EDF4A for ; Fri, 31 Jan 2020 21:47:01 +0000 (UTC) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: from gndrsh.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 488W5b6VrJz4Ggs; Fri, 31 Jan 2020 21:46:59 +0000 (UTC) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: from gndrsh.dnsmgr.net (localhost [127.0.0.1]) by gndrsh.dnsmgr.net (8.13.3/8.13.3) with ESMTP id 00VLkuIe075353; Fri, 31 Jan 2020 13:46:56 -0800 (PST) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: (from freebsd-rwg@localhost) by gndrsh.dnsmgr.net (8.13.3/8.13.3/Submit) id 00VLkuan075352; Fri, 31 Jan 2020 13:46:56 -0800 (PST) (envelope-from freebsd-rwg) From: "Rodney W. Grimes" Message-Id: <202001312146.00VLkuan075352@gndrsh.dnsmgr.net> Subject: Re: More secure permissions for /root and /etc/sysctl.confg In-Reply-To: <20200131181700.Sn-C1%steffen@sdaoden.eu> To: Steffen Nurpmeso Date: Fri, 31 Jan 2020 13:46:55 -0800 (PST) CC: Lars Engels , FreeBSD Hackers , Gordon Bergling , "Rodney W. Grimes" , Ryan Stone , Wojciech Puchar X-Mailer: ELM [version 2.4ME+ PL121h (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII X-Rspamd-Queue-Id: 488W5b6VrJz4Ggs X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd-rwg@gndrsh.dnsmgr.net has no SPF policy when checking 69.59.192.140) smtp.mailfrom=freebsd-rwg@gndrsh.dnsmgr.net X-Spamd-Result: default: False [1.66 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.00)[-0.005,0]; FROM_HAS_DN(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[dnsmgr.net]; AUTH_NA(1.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; NEURAL_SPAM_LONG(0.73)[0.730,0]; RCPT_COUNT_SEVEN(0.00)[7]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:13868, ipnet:69.59.192.0/19, country:US]; MID_RHS_MATCH_FROM(0.00)[]; IP_SCORE(0.03)[ip: (0.13), ipnet: 69.59.192.0/19(0.07), asn: 13868(0.02), country: US(-0.05)]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Jan 2020 21:47:01 -0000 > Lars Engels wrote in <20200131161347.GA33086@e.0x20.net>: > |On Fri, Jan 31, 2020 at 02:25:35AM -0800, Rodney W. Grimes wrote: > |>>>>> I don't see the point in making this change to sysctl.conf. sysctls > |>>>>> are readable by any user. Hiding the contents of sysctl.conf \ > |>>>>> does not > |>>>>> prevent unprivileged users from seeing what values have been changed > |>>>>> from the defaults; it merely makes it more tedious. > |>>>> true. but /root should be root only readable > |>>> > |>>> Based on what? What security does this provide to what part of \ > |>>> the system? > |>> based on common sense > |> > |> Who's common sense, as mine and some others say this is an unneeded > |> change with no technical merit. > |> > |> You have provided no technical reasons for your requested change, > |> yet others have presented technical reasons to not make it, > |> so to try and base a support position on "common sense" is kinda moot. > |> > |> We actually discussed this at dinner tonight and no one could come up > |> with a good reason to lock /root down in such a manner unless someone > |> was storing stuff in /root that should probably not really be stored > |> there. Ie, there is a bigger problem than chmod 750 /root is going to > |> fix. > | > |/root can store config files and shell history with confidential > |information. > > Absolutely. My own /root is in fact shared in between many > systems, and many scripts from /etc/ reach into /root/$HOSTNAME/, > with some generics in /root/. Practically all of that is Linux > though. But it is very nice, since i can share very, very much, > and even the hostname= comes from kernel command line parameter, > and multiplexes to entirely different setups. This is one of those cases that I mention of probably doing something outside the norm. Your example of shared /root for me is a bad idea, as if your shared /root should become unavaliable or worse deadlocked your now in a login lockout situation to the very account you probably need to repair the problem. My prefered solution of what you have done is to add a private local /nodedata/$HOSTNAME hierarchy. > > efibootmgr is cool, by the way. > > --steffen > | > |Der Kragenbaer, The moon bear, > |der holt sich munter he cheerfully and one by one > |einen nach dem anderen runter wa.ks himself off > |(By Robert Gernhardt) > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > -- Rod Grimes rgrimes@freebsd.org