From owner-freebsd-security@FreeBSD.ORG Fri Jun 22 13:44:10 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2EC1106564A for ; Fri, 22 Jun 2012 13:44:10 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from tower.berklix.org (tower.berklix.org [83.236.223.114]) by mx1.freebsd.org (Postfix) with ESMTP id 4FAD88FC16 for ; Fri, 22 Jun 2012 13:44:10 +0000 (UTC) Received: from mart.js.berklix.net (p5DCBDCF3.dip.t-dialin.net [93.203.220.243]) (authenticated bits=0) by tower.berklix.org (8.14.2/8.14.2) with ESMTP id q5MDi8gk061428 for ; Fri, 22 Jun 2012 13:44:09 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id q5MDhu8N008035 for ; Fri, 22 Jun 2012 15:43:58 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.4/8.14.4) with ESMTP id q5MDhmvS045187 for ; Fri, 22 Jun 2012 15:43:54 +0200 (CEST) (envelope-from jhs@fire.js.berklix.net) Message-Id: <201206221343.q5MDhmvS045187@fire.js.berklix.net> To: freebsd-security@freebsd.org From: "Julian H. Stacey" Organization: http://berklix.com BSD Linux Unix Consultancy, Munich Germany User-agent: EXMH on FreeBSD http://www.berklix.com/free/ X-URL: http://www.berklix.com/~jhs/cv/ Date: Fri, 22 Jun 2012 15:43:47 +0200 Sender: jhs@berklix.com Subject: / owned by bin causes sshd to complain bad ownership X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jun 2012 13:44:10 -0000 Hi freebsd-security@freebsd.org On an 8.3-RELEASE running sshd, /var/log/auth.log Jun 22 12:54:06 lapr sshd[57505]: Authentication refused: bad ownership or modes for directory / Until I did chown 0:0 / ( It was previously drwxr-xr-x 25 bin bin 1024 Jun 20 19:53 ./ ) The chown is consistent with all of 8.3 /bin also being root & not bin, BUT Over use of Root seems Bad. Our ownership scheme has degraded compared to early 1980s Unix, where most bin & lib files & dirs were owned by bin, except for - a few SUID bins that Needed root - occasional administrator droppings, temporary accidental files that glared at the eyeball, as root, cos near all else was just bin. IMO very little in a system should be user root. Apologies, but to guide replies : (after threads burnt by a troll on another list) I'd not appreciate replies just along the lines of "It has to be to satisfy existing software". I'd much rather receive replies along lines of "What would be best ownership scheme, advantages & disadvantages + should we change anything ?" Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com Reply below not above, cumulative like a play script, & indent with "> ". Format: Plain text. Not HTML, multipart/alternative, base64, quoted-printable. Mail from @yahoo dumped @berklix. http://berklix.org/yahoo/