From owner-freebsd-questions@FreeBSD.ORG Fri Jun 28 13:26:42 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 841A3B7 for ; Fri, 28 Jun 2013 13:26:42 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from slim.berklix.org (slim.berklix.org [94.185.90.68]) by mx1.freebsd.org (Postfix) with ESMTP id EF85F1970 for ; Fri, 28 Jun 2013 13:26:41 +0000 (UTC) Received: from park.js.berklix.net (p57BCFB81.dip0.t-ipconnect.de [87.188.251.129]) (authenticated bits=128) by slim.berklix.org (8.14.5/8.14.5) with ESMTP id r5SDQaO9057022; Fri, 28 Jun 2013 15:26:36 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by park.js.berklix.net (8.14.3/8.14.3) with ESMTP id r5SDQRku039073; Fri, 28 Jun 2013 15:26:35 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.4/8.14.4) with ESMTP id r5SDPitf054224; Fri, 28 Jun 2013 15:25:50 +0200 (CEST) (envelope-from jhs@fire.js.berklix.net) Message-Id: <201306281325.r5SDPitf054224@fire.js.berklix.net> To: freebsd-questions Subject: Re: A very 'trivial' question about /root From: "Julian H. Stacey" Organization: http://berklix.com BSD Unix Linux Consultancy, Munich Germany User-agent: EXMH on FreeBSD http://berklix.com/free/ X-URL: http://www.berklix.com In-reply-to: Your message "Fri, 28 Jun 2013 10:10:02 +0200." <1372407002.6831.34.camel@blackfriar.inhio.eu> Date: Fri, 28 Jun 2013 15:25:44 +0200 Sender: jhs@berklix.com Cc: Daniel Feenberg , jb , Polytropon , ASV X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jun 2013 13:26:42 -0000 Hi, Reference: > From: ASV > Date: Fri, 28 Jun 2013 10:10:02 +0200 [ I jhs@ reverted asv@'s top post to bottom post ] > > On Fri, 2013-06-28 at 01:47 +0200, Julian H. Stacey wrote: > > Hi, Reference: > > > From: ASV > > > Date: Thu, 27 Jun 2013 21:39:20 +0200 > > > > ASV wrote: > > > Thanks for your reply Polytropon, > > > > > > I'm using FreeBSD since few years already and I'm kind of aware of the > > > "dynamics" related to permissions, many of them are common to many > > > Unices. > > > I agree that the installer doesn't put anything secret but as a home dir > > > for the root user it's highly likely that something not intended to be > > > publicly readable will end up there soon after the installation. > > > Which IMHO it's true also for any other user homedir which gets created > > > by default using a pretty relaxed umask 022, but that seems to be the > > > default on probably any other UNIX like system I've put my hands on > > > AFAIR. > > > > > > Don't get me wrong, since I use FreeBSD I'm just in love with it. Mine > > > is just a concern about these permission defaults which look to me a bit > > > too relaxed and cannot find yet a reason why not to restrict it. > > > After all I believe having good default settings may make the difference > > > in some circumstances and/or save time. > > > > > > On Thu, 2013-06-27 at 04:58 +0200, Polytropon wrote: > > > > On Wed, 26 Jun 2013 23:34:41 +0200, ASV wrote: > > > > > There's any reason (and should be a fairly good one) why the /root > > > > > directory permissions by default are set to 755 (for sure on releases > > > > > 8.0/8.1/9.0/9.1)???? > > > > > > > > This is the default permission for user directories, as root > > > > is considered a user in this (special) case, and /root is its > > > > home directory. The installer does not put anything "secret" > > > > in there, but _you_ might, so there should be no issue changing > > > > it to a more restricted access permission. > > > > > > > > Hint: When a directory is r-x for "other", then it will be > > > > indexed by the locate periodic job, so users could use the > > > > locate command (and also find) to look what's in there. If > > > > this is not desired, change to rwx/---/---, or rwx/r-x/--- > > > > if you want to allow (trusted) users of the "wheel" group > > > > to read and execute stuff from that directory (maybe homemade > > > > admin scripts in /root/bin that should not be "public"). > > > > > > > > There are few things that touch /root content. System updating > > > > might be one of them, but as it is typically run as root (and > > > > even in SUM), restrictive permissions above the default are > > > > no problem. > > > > > > > > To summarize the answer for your question: It's just the default. :-) > > > > I'll play Devil's advocate for a moment ;-) > > > > One reason not to tighten ~root is because one might want > > ~root/httpuserfile to be readable by httpd to access the crypted > > passwords of locked web page. ... ;-) > > > > No not really, that's perverted, I wouldn't reccomend an > > http://localhost/~root/ regardless of password locked pages or not. > > > > But it shows how lateral head scratching might be > > appropriate before removing read perms on ~root/ . > > > > { A bit like wrong ownership on / can surprisingly kill AMD NFS > > access } ... some unexpected constraints can take some thinking > > through, It might be quickest for a number of us to just try chmod > > 700 ~root for a while & see if we get trouble. > > > > Cheers, > > Julian > ASV wrote: > Hi Julian, > you played Devil's advocate well actually as I don't know which idea > would be more audacious, letting httpd access files from your root dir > or exporting /root via nfs. :) > Both of them sound more like a lab scenario than a real one. > > I understand that launching a "chmod 700 /root" it's a matter of > something between 1 and 3 seconds. I do also understand that I had /root > closed for long time and never had the need to set permissions back > loose and this triggered my point. > Why is it that open? :) Here is a patch: http://www.berklix.com/~jhs/src/bsd/fixes/FreeBSD/src/gen/etc/mtree/BSD.root.dist.REL=ALL.diff Before we might ask (via send-pr) for it to be commited, we should various of us run chmod 750 /root;chown root:wheel /root & give it a couple of months to see if problems. I doubt there will be a problem with /root/.forward , as lrwxr-xr-x 1 root wheel /usr/sbin/sendmail -> /usr/sbin/mailwrapper -r-xr-xr-x 1 root wheel /usr/sbin/mailwrapper jb.1234abcd@gmail.com 's ref to https://bugzilla.redhat.com/show_bug.cgi?id=578470 relates to Linux upgrade procedures & /root I don't see it affects how we should perceive an idealised Unix. ( I'd guess OpenBSD might go for a tighter /root though, as they're supposedly keen on security. ) Daniel Feenberg wrote: > A diskless FreeBSD will use an NFS-mounted /root. See: .............................................^..... No, that spelling/ phrase is mis-leading, better to say "an NFS-mounted root", or "an NFS-mounted /". /root under / is merely a level one sub directory, one down from the root = / directory of the mounted file system, so "/root" has similar significant to it's adjacent /lib* . (Unfortunate we have name root for 2 different things ) > http://www.freebsd.org/doc/handbook/network-diskless.html There are no explicit references to "/root" there, I just read through, just ref. to "root", a big difference. > http://www.nber.org/sys-admin/FreeBSD-diskless.html There is one reference to /root under "Other applications" "Some applications, such as grepmail put configuration, cache or other (sometimes hidden) files in the home directory of the user. These will fail for the root user whose home directory is /root." The context of that web page does not affect this proposal. BTW Daniel, I suggest you might cross ref your page with network-diskless.html Both an interesting lunch time read :-) > if it leads to programs and daemons that > would otherwise run as nobody having to run with root priviledges. Good point, we should be cautious, best if lots of us try chmod 750 /root for a couple of months & see if any burnt fingers. Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com Reply below not above, like a play script. Indent old text with "> ". Send plain text. No quoted-printable, HTML, base64, multipart/alternative.