From owner-freebsd-questions@FreeBSD.ORG Tue May 6 17:32:09 2008 Return-Path: Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 31DC21065671 for ; Tue, 6 May 2008 17:32:09 +0000 (UTC) (envelope-from doug@safeport.com) Received: from pemaquid.safeport.com (pemaquid.safeport.com [209.31.154.17]) by mx1.freebsd.org (Postfix) with ESMTP id C82998FC0C for ; Tue, 6 May 2008 17:32:08 +0000 (UTC) (envelope-from doug@safeport.com) Received: from localhost (localhost [127.0.0.1]) by pemaquid.safeport.com (8.13.4/8.13.4) with ESMTP id m46H56Su043064; Tue, 6 May 2008 13:05:06 -0400 (EDT) (envelope-from doug@safeport.com) Date: Tue, 6 May 2008 13:05:06 -0400 (EDT) From: doug@safeport.com To: Mario Vazquez In-Reply-To: Message-ID: <20080506124939.N32039@pemaquid.safeport.com> References: <20080505191223.U24925@fledge.watson.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (pemaquid.safeport.com [127.0.0.1]); Tue, 06 May 2008 13:05:06 -0400 (EDT) Cc: freebsd-questions@FreeBSD.ORG Subject: RE: Question about a recent installation X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2008 17:32:09 -0000 >> On Mon, 5 May 2008, Mario Vazquez wrote: >> >>> >>> I have been using different Linux distributions for some years, and decided to >>> give FreeBSD a try. The install was successful, but have a question about how >>> the root account is made. Found that the root folder was created with the >>> user/group privileges root:wheel. Is not that a kind of security risk? I >>> know that usually only the account used by the administrator is the one, in >>> addition to root, that belongs to the wheel group. But also I know that >>> sometimes admins get lazy and give for limited time extra privileges just to >>> allow someone to do something, and that's where the danger can come. Btw, >>> that's just my opinion. >>> _________________________________________________________________ >> >> To give limited priviledges I think sudo (as in linux??) would be used. >> If that does not provide enough security then kerberos could be used. >> >> In general I don't see how you main concern is unique to FreeBSD. >> >> DougD > > _________________________________________________________________ > Make Windows Vista more reliable and secure with Windows Vista Service Pack 1. > http://www.windowsvista.com/SP1?WT.mc_id=hotmailvistasp1banner > > yeah, sudo is. I don't have any issue in terms of functionality. But the > doubt I have is if having the root folder created with ownership root:wheel > can become a security issue or not. Also would like to know if there is no > problem changing my root folder ownership to root:root (which will require a > root group btw). Please do not top post. There is no reason for a root group. I think best practice is to have each admin keep their data in their accounts which are either allocated as name:wheel or they are defined as being in the wheel group. I do not know if sudo requires wheel membership. I do not understand the need for a root group. I think security liabilities from having a wheel group have long been worked out. What do you see as a problem? Is BSD different from linux in this regard? perhaps the latter question is an off-list topic. _____ Douglas Denault http://www.safeport.com doug@safeport.com Voice: 301-469-8766 Fax: 301-469-0601