From owner-freebsd-hackers@freebsd.org  Mon Feb  3 15:40:39 2020
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id AAD0D24F24A
 for <freebsd-hackers@mailman.nyi.freebsd.org>;
 Mon,  3 Feb 2020 15:40:39 +0000 (UTC)
 (envelope-from freebsd-rwg@gndrsh.dnsmgr.net)
Received: from gndrsh.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 48BBqV0rqsz3DGr
 for <freebsd-hackers@freebsd.org>; Mon,  3 Feb 2020 15:40:37 +0000 (UTC)
 (envelope-from freebsd-rwg@gndrsh.dnsmgr.net)
Received: from gndrsh.dnsmgr.net (localhost [127.0.0.1])
 by gndrsh.dnsmgr.net (8.13.3/8.13.3) with ESMTP id 013FeUdO088222;
 Mon, 3 Feb 2020 07:40:30 -0800 (PST)
 (envelope-from freebsd-rwg@gndrsh.dnsmgr.net)
Received: (from freebsd-rwg@localhost)
 by gndrsh.dnsmgr.net (8.13.3/8.13.3/Submit) id 013FeU0T088221;
 Mon, 3 Feb 2020 07:40:30 -0800 (PST) (envelope-from freebsd-rwg)
From: "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net>
Message-Id: <202002031540.013FeU0T088221@gndrsh.dnsmgr.net>
Subject: Re: More secure permissions for /root and /etc/sysctl.conf
In-Reply-To: <alpine.BSF.2.20.2002031458290.69078@puchar.net>
To: Wojciech Puchar <wojtek@puchar.net>
Date: Mon, 3 Feb 2020 07:40:30 -0800 (PST)
CC: "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net>,
 Gordon Bergling <gbergling@googlemail.com>,
 FreeBSD Hackers <freebsd-hackers@freebsd.org>,
 Ryan Stone <rysto32@gmail.com>
X-Mailer: ELM [version 2.4ME+ PL121h (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
X-Rspamd-Queue-Id: 48BBqV0rqsz3DGr
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=none (mx1.freebsd.org: domain of freebsd-rwg@gndrsh.dnsmgr.net has no SPF
 policy when checking 69.59.192.140)
 smtp.mailfrom=freebsd-rwg@gndrsh.dnsmgr.net
X-Spamd-Result: default: False [-0.50 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-0.93)[-0.925,0]; FROM_HAS_DN(0.00)[];
 NEURAL_HAM_LONG(-0.51)[-0.514,0]; MIME_GOOD(-0.10)[text/plain];
 RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[dnsmgr.net];
 AUTH_NA(1.00)[]; RCPT_COUNT_FIVE(0.00)[5];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[];
 R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:13868, ipnet:69.59.192.0/19, country:US];
 MID_RHS_MATCH_FROM(0.00)[];
 IP_SCORE(0.03)[ip: (0.13), ipnet: 69.59.192.0/19(0.07), asn: 13868(0.03),
 country: US(-0.05)]; RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Feb 2020 15:40:39 -0000

> >
> > I still can not support that as a change:
> > a) It has been 755 for 26 years on FreeBSD and also as long as
> >   I can remeber (aka v4 research).  Changing it would be a POLA
> >   violation.
> 
> so if it was wrong for so long, let keep it wrong.

No one has demonstrated that it is "wrong", only that
they claim common sense says it should be 700, which has been
arguable demonstrated as wrong by the fact this needlessly removes
access by group wheel members.

> 
> >
> > b) No known security flaw has been shown other than user error.
> 
> so simply set all files to 777. it's user error forgetting to change it to 
> something else.

That has repeatedly been demonstrated to have security implications,
why use such statements in a technical dispute?

> >
> > c) The default for home directories in all the BSD's I looked at
> >   are 755.
> 
> Not true.

That has been corrected by others, and I conced that some others
have done 700 /root, probably with the same type of justification
as is being attempted here and without good solid reasoning.


This is a POLICY issue and sites are going to vary, why change
a long standing default just to appease some sites without a 
good solid reasoning to change said long standing default this
simply becomes change because we can change it.

Seriously I have 100's if not 1000's of tweaks I make after
installing FreeBSD to bring it inline with my POLICIES.

Others are not capable of dealing with a chmod 750 /root I am sure.
As they are tweaking adduser.conf, etc, etc.


I WOULD fully support a post bsdinstall/bsdconfig menu of
"LOCK this system down:".  Some of that has crept into
bsdinstall in the form of a "hardening menu".

-- 
Rod Grimes                                                 rgrimes@freebsd.org