From owner-freebsd-hackers@freebsd.org Sun Feb 2 18:08:18 2020 Return-Path: Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 01C73235329 for ; Sun, 2 Feb 2020 18:08:18 +0000 (UTC) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: from gndrsh.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 489f8J3Vfgz4SsK for ; Sun, 2 Feb 2020 18:08:15 +0000 (UTC) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: from gndrsh.dnsmgr.net (localhost [127.0.0.1]) by gndrsh.dnsmgr.net (8.13.3/8.13.3) with ESMTP id 012I8D9W083836; Sun, 2 Feb 2020 10:08:13 -0800 (PST) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: (from freebsd-rwg@localhost) by gndrsh.dnsmgr.net (8.13.3/8.13.3/Submit) id 012I8CNm083835; Sun, 2 Feb 2020 10:08:12 -0800 (PST) (envelope-from freebsd-rwg) From: "Rodney W. Grimes" Message-Id: <202002021808.012I8CNm083835@gndrsh.dnsmgr.net> Subject: Re: More secure permissions for /root and /etc/sysctl.conf In-Reply-To: <616e8222-a377-fdf0-bf55-79e73a509065@quip.cz> To: Miroslav Lachman <000.fbsd@quip.cz> Date: Sun, 2 Feb 2020 10:08:12 -0800 (PST) CC: Ben Woods , "Rodney W. Grimes" , FreeBSD Hackers , Gordon Bergling , Ryan Stone , Wojciech Puchar X-Mailer: ELM [version 2.4ME+ PL121h (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII X-Rspamd-Queue-Id: 489f8J3Vfgz4SsK X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd-rwg@gndrsh.dnsmgr.net has no SPF policy when checking 69.59.192.140) smtp.mailfrom=freebsd-rwg@gndrsh.dnsmgr.net X-Spamd-Result: default: False [-0.05 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.78)[-0.784,0]; FROM_HAS_DN(0.00)[]; IP_SCORE(0.03)[ip: (0.13), ipnet: 69.59.192.0/19(0.07), asn: 13868(0.03), country: US(-0.05)]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[dnsmgr.net]; AUTH_NA(1.00)[]; NEURAL_HAM_LONG(-0.20)[-0.199,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; RCPT_COUNT_SEVEN(0.00)[7]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:13868, ipnet:69.59.192.0/19, country:US]; FREEMAIL_CC(0.00)[gmail.com]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Feb 2020 18:08:18 -0000 [ Charset UTF-8 unsupported, converting... ] > Ben Woods wrote on 2020/02/02 02:46: > > [...] > > DragonFlyBSD 5.6.2 = 700 > > HardenedBSD build 104 = 755 > > NetBSD 9.0 RC1 = 755 > > OpenBSD 6.6 = 700 > > > > For what it's worth, I am broadly supportive of this because I see no > > reason for /root to be world readable. > > +1 > > I see no reason for world readable /root too. > We always set user's homes to 0700 (subdirs of /usr/home). Who is "We" in this context? FreeBSD's default for home directories is 755. And as I have stated before anyone who is taking group rx off of /root is fooling themselves as that just creates pain for members of group wheel who now needlessly need to su to see /root's files. If you have issues with group wheel being able to read /root you have far far bigger problems that need addressed than a simple chmod g-rw /root is going to fix. -- Rod Grimes rgrimes@freebsd.org