Date: Fri, 31 Jan 2020 13:46:55 -0800 (PST) From: "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net> To: Steffen Nurpmeso <steffen@sdaoden.eu> Cc: Lars Engels <lme@freebsd.org>, FreeBSD Hackers <freebsd-hackers@freebsd.org>, Gordon Bergling <gbergling@googlemail.com>, "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net>, Ryan Stone <rysto32@gmail.com>, Wojciech Puchar <wojtek@puchar.net> Subject: Re: More secure permissions for /root and /etc/sysctl.confg Message-ID: <202001312146.00VLkuan075352@gndrsh.dnsmgr.net> In-Reply-To: <20200131181700.Sn-C1%steffen@sdaoden.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
> Lars Engels wrote in <20200131161347.GA33086@e.0x20.net>: > |On Fri, Jan 31, 2020 at 02:25:35AM -0800, Rodney W. Grimes wrote: > |>>>>> I don't see the point in making this change to sysctl.conf. sysctls > |>>>>> are readable by any user. Hiding the contents of sysctl.conf \ > |>>>>> does not > |>>>>> prevent unprivileged users from seeing what values have been changed > |>>>>> from the defaults; it merely makes it more tedious. > |>>>> true. but /root should be root only readable > |>>> > |>>> Based on what? What security does this provide to what part of \ > |>>> the system? > |>> based on common sense > |> > |> Who's common sense, as mine and some others say this is an unneeded > |> change with no technical merit. > |> > |> You have provided no technical reasons for your requested change, > |> yet others have presented technical reasons to not make it, > |> so to try and base a support position on "common sense" is kinda moot. > |> > |> We actually discussed this at dinner tonight and no one could come up > |> with a good reason to lock /root down in such a manner unless someone > |> was storing stuff in /root that should probably not really be stored > |> there. Ie, there is a bigger problem than chmod 750 /root is going to > |> fix. > | > |/root can store config files and shell history with confidential > |information. > > Absolutely. My own /root is in fact shared in between many > systems, and many scripts from /etc/ reach into /root/$HOSTNAME/, > with some generics in /root/. Practically all of that is Linux > though. But it is very nice, since i can share very, very much, > and even the hostname= comes from kernel command line parameter, > and multiplexes to entirely different setups. This is one of those cases that I mention of probably doing something outside the norm. Your example of shared /root for me is a bad idea, as if your shared /root should become unavaliable or worse deadlocked your now in a login lockout situation to the very account you probably need to repair the problem. My prefered solution of what you have done is to add a private local /nodedata/$HOSTNAME hierarchy. > > efibootmgr is cool, by the way. > > --steffen > | > |Der Kragenbaer, The moon bear, > |der holt sich munter he cheerfully and one by one > |einen nach dem anderen runter wa.ks himself off > |(By Robert Gernhardt) > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > -- Rod Grimes rgrimes@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202001312146.00VLkuan075352>