From owner-freebsd-questions@FreeBSD.ORG Thu Jun 27 23:48:24 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 03A392DF for ; Thu, 27 Jun 2013 23:48:24 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from slim.berklix.org (slim.berklix.org [94.185.90.68]) by mx1.freebsd.org (Postfix) with ESMTP id 7F75D1712 for ; Thu, 27 Jun 2013 23:48:23 +0000 (UTC) Received: from park.js.berklix.net (p5DCBDF07.dip0.t-ipconnect.de [93.203.223.7]) (authenticated bits=128) by slim.berklix.org (8.14.5/8.14.5) with ESMTP id r5RNmDZo053461; Fri, 28 Jun 2013 01:48:14 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by park.js.berklix.net (8.14.3/8.14.3) with ESMTP id r5RNm9B8036055; Fri, 28 Jun 2013 01:48:09 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.4/8.14.4) with ESMTP id r5RNlpgG096631; Fri, 28 Jun 2013 01:47:57 +0200 (CEST) (envelope-from jhs@fire.js.berklix.net) Message-Id: <201306272347.r5RNlpgG096631@fire.js.berklix.net> To: ASV Subject: Re: A very 'trivial' question about /root From: "Julian H. Stacey" Organization: http://berklix.com BSD Unix Linux Consultancy, Munich Germany User-agent: EXMH on FreeBSD http://berklix.com/free/ X-URL: http://www.berklix.com In-reply-to: Your message "Thu, 27 Jun 2013 21:39:20 +0200." <1372361960.6831.24.camel@blackfriar.inhio.eu> Date: Fri, 28 Jun 2013 01:47:51 +0200 Sender: jhs@berklix.com Cc: Polytropon , freebsd-questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jun 2013 23:48:24 -0000 Hi, Reference: > From: ASV > Date: Thu, 27 Jun 2013 21:39:20 +0200 ASV wrote: > Thanks for your reply Polytropon, > > I'm using FreeBSD since few years already and I'm kind of aware of the > "dynamics" related to permissions, many of them are common to many > Unices. > I agree that the installer doesn't put anything secret but as a home dir > for the root user it's highly likely that something not intended to be > publicly readable will end up there soon after the installation. > Which IMHO it's true also for any other user homedir which gets created > by default using a pretty relaxed umask 022, but that seems to be the > default on probably any other UNIX like system I've put my hands on > AFAIR. > > Don't get me wrong, since I use FreeBSD I'm just in love with it. Mine > is just a concern about these permission defaults which look to me a bit > too relaxed and cannot find yet a reason why not to restrict it. > After all I believe having good default settings may make the difference > in some circumstances and/or save time. > > On Thu, 2013-06-27 at 04:58 +0200, Polytropon wrote: > > On Wed, 26 Jun 2013 23:34:41 +0200, ASV wrote: > > > There's any reason (and should be a fairly good one) why the /root > > > directory permissions by default are set to 755 (for sure on releases > > > 8.0/8.1/9.0/9.1)???? > > > > This is the default permission for user directories, as root > > is considered a user in this (special) case, and /root is its > > home directory. The installer does not put anything "secret" > > in there, but _you_ might, so there should be no issue changing > > it to a more restricted access permission. > > > > Hint: When a directory is r-x for "other", then it will be > > indexed by the locate periodic job, so users could use the > > locate command (and also find) to look what's in there. If > > this is not desired, change to rwx/---/---, or rwx/r-x/--- > > if you want to allow (trusted) users of the "wheel" group > > to read and execute stuff from that directory (maybe homemade > > admin scripts in /root/bin that should not be "public"). > > > > There are few things that touch /root content. System updating > > might be one of them, but as it is typically run as root (and > > even in SUM), restrictive permissions above the default are > > no problem. > > > > To summarize the answer for your question: It's just the default. :-) I'll play Devil's advocate for a moment ;-) One reason not to tighten ~root is because one might want ~root/httpuserfile to be readable by httpd to access the crypted passwords of locked web page. ... ;-) No not really, that's perverted, I wouldn't reccomend an http://localhost/~root/ regardless of password locked pages or not. But it shows how lateral head scratching might be appropriate before removing read perms on ~root/ . { A bit like wrong ownership on / can surprisingly kill AMD NFS access } ... some unexpected constraints can take some thinking through, It might be quickest for a number of us to just try chmod 700 ~root for a while & see if we get trouble. Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com Reply below not above, like a play script. Indent old text with "> ". Send plain text. No quoted-printable, HTML, base64, multipart/alternative.