Date: Mon, 3 Feb 2020 07:40:30 -0800 (PST) From: "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net> To: Wojciech Puchar <wojtek@puchar.net> Cc: "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net>, Gordon Bergling <gbergling@googlemail.com>, FreeBSD Hackers <freebsd-hackers@freebsd.org>, Ryan Stone <rysto32@gmail.com> Subject: Re: More secure permissions for /root and /etc/sysctl.conf Message-ID: <202002031540.013FeU0T088221@gndrsh.dnsmgr.net> In-Reply-To: <alpine.BSF.2.20.2002031458290.69078@puchar.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > > I still can not support that as a change: > > a) It has been 755 for 26 years on FreeBSD and also as long as > > I can remeber (aka v4 research). Changing it would be a POLA > > violation. > > so if it was wrong for so long, let keep it wrong. No one has demonstrated that it is "wrong", only that they claim common sense says it should be 700, which has been arguable demonstrated as wrong by the fact this needlessly removes access by group wheel members. > > > > > b) No known security flaw has been shown other than user error. > > so simply set all files to 777. it's user error forgetting to change it to > something else. That has repeatedly been demonstrated to have security implications, why use such statements in a technical dispute? > > > > c) The default for home directories in all the BSD's I looked at > > are 755. > > Not true. That has been corrected by others, and I conced that some others have done 700 /root, probably with the same type of justification as is being attempted here and without good solid reasoning. This is a POLICY issue and sites are going to vary, why change a long standing default just to appease some sites without a good solid reasoning to change said long standing default this simply becomes change because we can change it. Seriously I have 100's if not 1000's of tweaks I make after installing FreeBSD to bring it inline with my POLICIES. Others are not capable of dealing with a chmod 750 /root I am sure. As they are tweaking adduser.conf, etc, etc. I WOULD fully support a post bsdinstall/bsdconfig menu of "LOCK this system down:". Some of that has crept into bsdinstall in the form of a "hardening menu". -- Rod Grimes rgrimes@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202002031540.013FeU0T088221>