Date: Mon, 03 Feb 2020 12:27:10 -0800 From: Cy Schubert <Cy.Schubert@cschubert.com> To: Enji Cooper <yaneurabeya@gmail.com> Cc: Cy Schubert <Cy.Schubert@cschubert.com>, "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>, "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net>, Miroslav Lachman <000.fbsd@quip.cz>, Gordon Bergling <gbergling@googlemail.com>, Ben Woods <woodsb02@gmail.com>, Ryan Stone <rysto32@gmail.com>, Wojciech Puchar <wojtek@puchar.net> Subject: Re: More secure permissions for /root and /etc/sysctl.conf Message-ID: <202002032027.013KRAil042646@slippy.cwsent.com> In-Reply-To: <CAGHfRMBM4QTbfCc2cpZuAobVqZH2WMxm2H5tqLDqnPLG2gGZew@mail.gmail.com> References: <202002021808.012I8CNm083835@gndrsh.dnsmgr.net> <31EF8F5F-75D5-4EFB-A6DA-10C0807BF29B@cschubert.com> <CAGHfRMBM4QTbfCc2cpZuAobVqZH2WMxm2H5tqLDqnPLG2gGZew@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <CAGHfRMBM4QTbfCc2cpZuAobVqZH2WMxm2H5tqLDqnPLG2gGZew@mail.gmail.c om> , Enji Cooper writes: > On Mon, Feb 3, 2020 at 9:11 AM Cy Schubert <Cy.Schubert@cschubert.com> wrote: > > > > On February 2, 2020 10:08:12 AM PST, "Rodney W. Grimes" <freebsd-rwg@gndrsh > .dnsmgr.net> wrote: > > >[ Charset UTF-8 unsupported, converting... ] > > >> Ben Woods wrote on 2020/02/02 02:46: > > >> > > >> [...] > > >> > DragonFlyBSD 5.6.2 = 700 > > >> > HardenedBSD build 104 = 755 > > >> > NetBSD 9.0 RC1 = 755 > > >> > OpenBSD 6.6 = 700 > > >> > > > >> > For what it's worth, I am broadly supportive of this because I see > > >no > > >> > reason for /root to be world readable. > > >> > > >> +1 > > >> > > >> I see no reason for world readable /root too. > > >> We always set user's homes to 0700 (subdirs of /usr/home). > > > > > >Who is "We" in this context? > > > > > >FreeBSD's default for home directories is 755. > > > > > >And as I have stated before anyone who is taking group rx off > > >of /root is fooling themselves as that just creates pain for > > >members of group wheel who now needlessly need to su to > > >see /root's files. > > > > > >If you have issues with group wheel being able to read /root > > >you have far far bigger problems that need addressed than > > >a simple chmod g-rw /root is going to fix. > > > > Agreed. > > YMMV, but Fedora Linux 31 (at least) has a more restrictive > umask/ownership set on /root by default: > > $ ls -ld /root > dr-xr-x---. 6 root root 4096 Feb 3 10:06 /root > $ cat /etc/redhat-release > Fedora release 31 (Thirty One) > > I'm unsure what the default setting is with OSX (/root is a symlink to > a directory under /var ). > > I think this suggestion makes sense from a default security > perspective, but honestly I wouldn't fiddle with /etc/sysctl.conf at > all. The RoI is much lower and the likelihood of breaking applications > is considerably higher; having to elevate privileges just to read > /etc/sysctl.conf wouldn't be strictly required, but someone might have > implemented naive logic somewhere where it passes along "-f > /etc/sysctl.conf" by default. I wouldn't either but at $JOB we do and a lot more too. Quarterly patching invokes a policy that resets all customizations back to policy, kind of like installworld reverts back to default. I don't agree with it but it could be a WITH_ or WITHOUT_ option to chown and chmod all files in /home, reset umasks, and file off all setuid bits. I don't agree with the policy but if we must, let's make it a WITH/WITHOUT option. Or better yet, a port that locks down a server to CIS standards. If we are going to embark down this path, let's a) adhere to CIS and b) make it optional. -- Cheers, Cy Schubert <Cy.Schubert@cschubert.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202002032027.013KRAil042646>