From owner-freebsd-security Wed Apr 18 12:16: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id EB98737B423 for ; Wed, 18 Apr 2001 12:16:02 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 3322 invoked by uid 0); 18 Apr 2001 19:16:00 -0000 Received: from p3ee2160d.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.13) by mail.gmx.net (mp007-rz3) with SMTP; 18 Apr 2001 19:16:00 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id VAA10335 for freebsd-security@freebsd.org; Wed, 18 Apr 2001 21:04:25 +0200 Date: Wed, 18 Apr 2001 21:04:25 +0200 From: Gerhard Sittig To: freebsd-security@freebsd.org Subject: Re: /root and users home dir permissions Message-ID: <20010418210425.S20830@speedy.gsinet> Mail-Followup-To: freebsd-security@freebsd.org References: <20010418173927.A64529@icon.icon.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20010418173927.A64529@icon.icon.bg>; from v0rbiz@icon.bg on Wed, Apr 18, 2001 at 05:39:27PM +0300 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Apr 18, 2001 at 17:39 +0300, Victor Ivanov wrote: > > I noticed /root is installed with mode=0755 (and updated every > time by installworld). It's the root home directory... some > admins (like me) are using it for keeping sensitive data away > from regular users. Shouldn't it be mode=0700 in > /etc/mtree/BSD.root.dist? a+rx on /root only means that this very directory can be listed and entered by anybody. There might be valid reasons for doing this (dotfiles to derive from? config files in copied form which are of general interest? although I don't think root should have a public_html tree. But definitely some people feel that /root should be 0755 -- otherwise the mtree config file would look different:). What keeps you from putting sensitive data into a directory one level deeper? It's basically what you do as a regular user, too. You simply keep the secret stuff away while still allowing access to the public and non sensitive stuff. > Also, when adding new users their home directories should be > protected the same way. Am I wrong? Yes. :) I've just been through it after moving to another server. People don't like getting stopped from looking at others' config skeletons and public data. And everyone quickly went to open up their $HOME. Maybe 711 would be more appropriate. Those who know where they want to go or which file they want to look at are free to do so (assuming the subdir or file is executable / readable). While those with no direction cannot list the content and look out for what could be of interest. But I'm afraid any configuration (completely closed, completely open, as well as between) will have opponents ... virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message