From owner-freebsd-hackers@freebsd.org Mon Feb 3 20:27:19 2020 Return-Path: Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3B89522DD81 for ; Mon, 3 Feb 2020 20:27:19 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from smtp-out-so.shaw.ca (smtp-out-so.shaw.ca [64.59.136.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 48BKBG1lzwz45PT for ; Mon, 3 Feb 2020 20:27:17 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from spqr.komquats.com ([70.67.125.17]) by shaw.ca with ESMTPA id yiJMizcfP17ZDyiJOiJfGj; Mon, 03 Feb 2020 13:27:16 -0700 X-Authority-Analysis: v=2.3 cv=ZsqT1OzG c=1 sm=1 tr=0 a=VFtTW3WuZNDh6VkGe7fA3g==:117 a=VFtTW3WuZNDh6VkGe7fA3g==:17 a=kj9zAlcOel0A:10 a=l697ptgUJYAA:10 a=YxBL1-UpAAAA:8 a=iKhvJSA4AAAA:8 a=6I5d2MoRAAAA:8 a=Yx4z9yM_UE8zZ7et30UA:9 a=CjuIK1q_8ugA:10 a=UJ0tAi3fqDAA:10 a=Ia-lj3WSrqcvXOmTRaiG:22 a=odh9cflL3HIXMm4fY7Wr:22 a=IjZwj45LgO3ly-622nXo:22 Received: from slippy.cwsent.com (slippy8 [10.2.2.6]) by spqr.komquats.com (Postfix) with ESMTPS id C965A49A; Mon, 3 Feb 2020 12:27:11 -0800 (PST) Received: from slippy.cwsent.com (localhost [127.0.0.1]) by slippy.cwsent.com (8.15.2/8.15.2) with ESMTP id 013KRBcJ042649; Mon, 3 Feb 2020 12:27:11 -0800 (PST) (envelope-from Cy.Schubert@cschubert.com) Received: from slippy (cy@localhost) by slippy.cwsent.com (8.15.2/8.15.2/Submit) with ESMTP id 013KRAil042646; Mon, 3 Feb 2020 12:27:10 -0800 (PST) (envelope-from Cy.Schubert@cschubert.com) Message-Id: <202002032027.013KRAil042646@slippy.cwsent.com> X-Authentication-Warning: slippy.cwsent.com: cy owned process doing -bs X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.7.1 Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Enji Cooper cc: Cy Schubert , "freebsd-hackers@freebsd.org" , "Rodney W. Grimes" , Miroslav Lachman <000.fbsd@quip.cz>, Gordon Bergling , Ben Woods , Ryan Stone , Wojciech Puchar Subject: Re: More secure permissions for /root and /etc/sysctl.conf In-reply-to: References: <202002021808.012I8CNm083835@gndrsh.dnsmgr.net> <31EF8F5F-75D5-4EFB-A6DA-10C0807BF29B@cschubert.com> Comments: In-reply-to Enji Cooper message dated "Mon, 03 Feb 2020 11:14:10 -0800." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 03 Feb 2020 12:27:10 -0800 X-CMAE-Envelope: MS4wfNetVceHES4QMJIpUklG1xLwBcCRhDTP0N+OygMlp2BqF4K77aKvb8bEnj3A5czg0tbk7C9gFkr56G90zMuCVEAJ9/xN5mkb+EulumQhTqCGlFAiUZp1 tpMYETEe44f82YvIw6WI9+56P+HLKzVWkPTQna1Y2D6ba50gOtTSRuqteHP8PITYrH6RUBXCkoswUug72+RxR2G4RmofvIH3B4i+0USAkOESkQCU2Ll907fC 1XcZv1TYkDNRaS6fDdI0Fu8gtxblBHIJ1/IPH5M5tbJq/TUei8ILz1JzJaR7hXx/yUSnzrr+P4LEavQWzobIhxttVd4ySP8HipIUhLLtPpI= X-Rspamd-Queue-Id: 48BKBG1lzwz45PT X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=none; spf=none (mx1.freebsd.org: domain of cy.schubert@cschubert.com has no SPF policy when checking 64.59.136.139) smtp.mailfrom=cy.schubert@cschubert.com X-Spamd-Result: default: False [-4.06 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_COUNT_FIVE(0.00)[5]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; HAS_REPLYTO(0.00)[Cy.Schubert@cschubert.com]; REPLYTO_EQ_FROM(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[17.125.67.70.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.11]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_SEVEN(0.00)[9]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_SPF_NA(0.00)[]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:6327, ipnet:64.59.128.0/20, country:CA]; RCVD_TLS_LAST(0.00)[]; IP_SCORE(-2.36)[ip: (-6.02), ipnet: 64.59.128.0/20(-3.20), asn: 6327(-2.49), country: CA(-0.09)]; RCVD_IN_DNSWL_LOW(-0.10)[139.136.59.64.list.dnswl.org : 127.0.5.1] X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Feb 2020 20:27:19 -0000 In message , Enji Cooper writes: > On Mon, Feb 3, 2020 at 9:11 AM Cy Schubert wrote: > > > > On February 2, 2020 10:08:12 AM PST, "Rodney W. Grimes" .dnsmgr.net> wrote: > > >[ Charset UTF-8 unsupported, converting... ] > > >> Ben Woods wrote on 2020/02/02 02:46: > > >> > > >> [...] > > >> > DragonFlyBSD 5.6.2 = 700 > > >> > HardenedBSD build 104 = 755 > > >> > NetBSD 9.0 RC1 = 755 > > >> > OpenBSD 6.6 = 700 > > >> > > > >> > For what it's worth, I am broadly supportive of this because I see > > >no > > >> > reason for /root to be world readable. > > >> > > >> +1 > > >> > > >> I see no reason for world readable /root too. > > >> We always set user's homes to 0700 (subdirs of /usr/home). > > > > > >Who is "We" in this context? > > > > > >FreeBSD's default for home directories is 755. > > > > > >And as I have stated before anyone who is taking group rx off > > >of /root is fooling themselves as that just creates pain for > > >members of group wheel who now needlessly need to su to > > >see /root's files. > > > > > >If you have issues with group wheel being able to read /root > > >you have far far bigger problems that need addressed than > > >a simple chmod g-rw /root is going to fix. > > > > Agreed. > > YMMV, but Fedora Linux 31 (at least) has a more restrictive > umask/ownership set on /root by default: > > $ ls -ld /root > dr-xr-x---. 6 root root 4096 Feb 3 10:06 /root > $ cat /etc/redhat-release > Fedora release 31 (Thirty One) > > I'm unsure what the default setting is with OSX (/root is a symlink to > a directory under /var ). > > I think this suggestion makes sense from a default security > perspective, but honestly I wouldn't fiddle with /etc/sysctl.conf at > all. The RoI is much lower and the likelihood of breaking applications > is considerably higher; having to elevate privileges just to read > /etc/sysctl.conf wouldn't be strictly required, but someone might have > implemented naive logic somewhere where it passes along "-f > /etc/sysctl.conf" by default. I wouldn't either but at $JOB we do and a lot more too. Quarterly patching invokes a policy that resets all customizations back to policy, kind of like installworld reverts back to default. I don't agree with it but it could be a WITH_ or WITHOUT_ option to chown and chmod all files in /home, reset umasks, and file off all setuid bits. I don't agree with the policy but if we must, let's make it a WITH/WITHOUT option. Or better yet, a port that locks down a server to CIS standards. If we are going to embark down this path, let's a) adhere to CIS and b) make it optional. -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few.