Date: Mon, 3 Feb 2020 11:14:10 -0800 From: Enji Cooper <yaneurabeya@gmail.com> To: Cy Schubert <Cy.Schubert@cschubert.com> Cc: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>, "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net>, Miroslav Lachman <000.fbsd@quip.cz>, Gordon Bergling <gbergling@googlemail.com>, Ben Woods <woodsb02@gmail.com>, Ryan Stone <rysto32@gmail.com>, Wojciech Puchar <wojtek@puchar.net> Subject: Re: More secure permissions for /root and /etc/sysctl.conf Message-ID: <CAGHfRMBM4QTbfCc2cpZuAobVqZH2WMxm2H5tqLDqnPLG2gGZew@mail.gmail.com> In-Reply-To: <31EF8F5F-75D5-4EFB-A6DA-10C0807BF29B@cschubert.com> References: <202002021808.012I8CNm083835@gndrsh.dnsmgr.net> <31EF8F5F-75D5-4EFB-A6DA-10C0807BF29B@cschubert.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Feb 3, 2020 at 9:11 AM Cy Schubert <Cy.Schubert@cschubert.com> wrote: > > On February 2, 2020 10:08:12 AM PST, "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net> wrote: > >[ Charset UTF-8 unsupported, converting... ] > >> Ben Woods wrote on 2020/02/02 02:46: > >> > >> [...] > >> > DragonFlyBSD 5.6.2 = 700 > >> > HardenedBSD build 104 = 755 > >> > NetBSD 9.0 RC1 = 755 > >> > OpenBSD 6.6 = 700 > >> > > >> > For what it's worth, I am broadly supportive of this because I see > >no > >> > reason for /root to be world readable. > >> > >> +1 > >> > >> I see no reason for world readable /root too. > >> We always set user's homes to 0700 (subdirs of /usr/home). > > > >Who is "We" in this context? > > > >FreeBSD's default for home directories is 755. > > > >And as I have stated before anyone who is taking group rx off > >of /root is fooling themselves as that just creates pain for > >members of group wheel who now needlessly need to su to > >see /root's files. > > > >If you have issues with group wheel being able to read /root > >you have far far bigger problems that need addressed than > >a simple chmod g-rw /root is going to fix. > > Agreed. YMMV, but Fedora Linux 31 (at least) has a more restrictive umask/ownership set on /root by default: $ ls -ld /root dr-xr-x---. 6 root root 4096 Feb 3 10:06 /root $ cat /etc/redhat-release Fedora release 31 (Thirty One) I'm unsure what the default setting is with OSX (/root is a symlink to a directory under /var ). I think this suggestion makes sense from a default security perspective, but honestly I wouldn't fiddle with /etc/sysctl.conf at all. The RoI is much lower and the likelihood of breaking applications is considerably higher; having to elevate privileges just to read /etc/sysctl.conf wouldn't be strictly required, but someone might have implemented naive logic somewhere where it passes along "-f /etc/sysctl.conf" by default. Cheers, -Enji
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGHfRMBM4QTbfCc2cpZuAobVqZH2WMxm2H5tqLDqnPLG2gGZew>