Date: Fri, 28 Jun 2013 01:47:51 +0200 From: "Julian H. Stacey" <jhs@berklix.com> To: ASV <asv@inhio.eu> Cc: Polytropon <freebsd@edvax.de>, freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: A very 'trivial' question about /root Message-ID: <201306272347.r5RNlpgG096631@fire.js.berklix.net> In-Reply-To: Your message "Thu, 27 Jun 2013 21:39:20 %2B0200." <1372361960.6831.24.camel@blackfriar.inhio.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Reference: > From: ASV <asv@inhio.eu> > Date: Thu, 27 Jun 2013 21:39:20 +0200 ASV wrote: > Thanks for your reply Polytropon, > > I'm using FreeBSD since few years already and I'm kind of aware of the > "dynamics" related to permissions, many of them are common to many > Unices. > I agree that the installer doesn't put anything secret but as a home dir > for the root user it's highly likely that something not intended to be > publicly readable will end up there soon after the installation. > Which IMHO it's true also for any other user homedir which gets created > by default using a pretty relaxed umask 022, but that seems to be the > default on probably any other UNIX like system I've put my hands on > AFAIR. > > Don't get me wrong, since I use FreeBSD I'm just in love with it. Mine > is just a concern about these permission defaults which look to me a bit > too relaxed and cannot find yet a reason why not to restrict it. > After all I believe having good default settings may make the difference > in some circumstances and/or save time. > > On Thu, 2013-06-27 at 04:58 +0200, Polytropon wrote: > > On Wed, 26 Jun 2013 23:34:41 +0200, ASV wrote: > > > There's any reason (and should be a fairly good one) why the /root > > > directory permissions by default are set to 755 (for sure on releases > > > 8.0/8.1/9.0/9.1)???? > > > > This is the default permission for user directories, as root > > is considered a user in this (special) case, and /root is its > > home directory. The installer does not put anything "secret" > > in there, but _you_ might, so there should be no issue changing > > it to a more restricted access permission. > > > > Hint: When a directory is r-x for "other", then it will be > > indexed by the locate periodic job, so users could use the > > locate command (and also find) to look what's in there. If > > this is not desired, change to rwx/---/---, or rwx/r-x/--- > > if you want to allow (trusted) users of the "wheel" group > > to read and execute stuff from that directory (maybe homemade > > admin scripts in /root/bin that should not be "public"). > > > > There are few things that touch /root content. System updating > > might be one of them, but as it is typically run as root (and > > even in SUM), restrictive permissions above the default are > > no problem. > > > > To summarize the answer for your question: It's just the default. :-) I'll play Devil's advocate for a moment ;-) One reason not to tighten ~root is because one might want ~root/httpuserfile to be readable by httpd to access the crypted passwords of locked web page. ... ;-) No not really, that's perverted, I wouldn't reccomend an http://localhost/~root/ regardless of password locked pages or not. But it shows how lateral head scratching might be appropriate before removing read perms on ~root/ . { A bit like wrong ownership on / can surprisingly kill AMD NFS access } ... some unexpected constraints can take some thinking through, It might be quickest for a number of us to just try chmod 700 ~root for a while & see if we get trouble. Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com Reply below not above, like a play script. Indent old text with "> ". Send plain text. No quoted-printable, HTML, base64, multipart/alternative.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201306272347.r5RNlpgG096631>