From owner-freebsd-hackers@freebsd.org Sun Feb 2 13:58:14 2020 Return-Path: Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A787C22EED6 for ; Sun, 2 Feb 2020 13:58:14 +0000 (UTC) (envelope-from SRS0=tzhe=3W=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 489Xbn5l8pz49Jk for ; Sun, 2 Feb 2020 13:58:13 +0000 (UTC) (envelope-from SRS0=tzhe=3W=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 2FBE728417; Sun, 2 Feb 2020 14:58:11 +0100 (CET) Received: from illbsd.quip.test (ip-62-24-92-232.net.upcbroadband.cz [62.24.92.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 47D2A28429; Sun, 2 Feb 2020 14:58:09 +0100 (CET) Subject: Re: More secure permissions for /root and /etc/sysctl.conf To: Ben Woods , "Rodney W. Grimes" Cc: FreeBSD Hackers , Gordon Bergling , Ryan Stone , Wojciech Puchar References: <4584E3BE-F412-4902-AFB9-CAE88D660ED1@googlemail.com> <202002011904.011J4rBB079499@gndrsh.dnsmgr.net> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <616e8222-a377-fdf0-bf55-79e73a509065@quip.cz> Date: Sun, 2 Feb 2020 14:58:09 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 489Xbn5l8pz49Jk X-Spamd-Bar: +++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of SRS0=tzhe=3W=quip.cz=000.fbsd@elsa.codelab.cz has no SPF policy when checking 94.124.105.4) smtp.mailfrom=SRS0=tzhe=3W=quip.cz=000.fbsd@elsa.codelab.cz X-Spamd-Result: default: False [3.68 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; IP_SCORE(0.86)[ip: (0.34), ipnet: 94.124.104.0/21(0.17), asn: 42000(3.69), country: CZ(0.09)]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[quip.cz]; AUTH_NA(1.00)[]; RCPT_COUNT_FIVE(0.00)[6]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; NEURAL_SPAM_MEDIUM(0.62)[0.623,0]; NEURAL_SPAM_LONG(1.00)[0.999,0]; RCVD_IN_DNSWL_NONE(0.00)[4.105.124.94.list.dnswl.org : 127.0.10.0]; R_SPF_NA(0.00)[]; FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=tzhe=3W=quip.cz=000.fbsd@elsa.codelab.cz]; FREEMAIL_TO(0.00)[gmail.com]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=tzhe=3W=quip.cz=000.fbsd@elsa.codelab.cz]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Feb 2020 13:58:14 -0000 Ben Woods wrote on 2020/02/02 02:46: [...] > DragonFlyBSD 5.6.2 = 700 > HardenedBSD build 104 = 755 > NetBSD 9.0 RC1 = 755 > OpenBSD 6.6 = 700 > > For what it's worth, I am broadly supportive of this because I see no > reason for /root to be world readable. +1 I see no reason for world readable /root too. We always set user's homes to 0700 (subdirs of /usr/home). Miroslav Lachman