Date: Wed, 29 Jan 2020 11:29:43 +0100 From: Gordon Bergling <gbergling@googlemail.com> To: Gary Jennejohn <gljennjohn@gmail.com> Cc: Gordon Bergling via freebsd-hackers <freebsd-hackers@freebsd.org> Subject: Re: More secure permissions for /root and /etc/sysctl.conf Message-ID: <E44AFD8B-B728-4D90-AD63-508FBA23F790@googlemail.com> In-Reply-To: <20200129112500.368610e8@ernst.home> References: <20200129092631.GA22505@lion.0xfce3.net> <20200129105325.600cddc1@ernst.home> <20200129112500.368610e8@ernst.home>
next in thread | previous in thread | raw e-mail | index | archive | help
Gary, no, you are mistaken here. Not / it is /root the home folder of the = system administrator. # chmod 700 /root That is not /. Gordon > Am 29.01.2020 um 11:25 schrieb Gary Jennejohn <gljennjohn@gmail.com>: >=20 > On Wed, 29 Jan 2020 10:53:25 +0100 > Gary Jennejohn <gljennjohn@gmail.com <mailto:gljennjohn@gmail.com>> = wrote: >=20 >> On Wed, 29 Jan 2020 10:26:31 +0100 >> Gordon Bergling via freebsd-hackers <freebsd-hackers@freebsd.org> = wrote: >>=20 >>> Hi, >>>=20 >>> I recently stumbled upon the default world readable permissons of = /root and=20 >>> /etc/sysctl.conf. I think that it would be more secure to reduce the = default >>> permission for /root to 0700 and to 0600 for /etc/sysctl.conf. >>>=20 >>> I prepared a differtial for the proposed change: >>> https://reviews.freebsd.org/D23392 >>>=20 >>> What do you think? >>>=20 >>=20 >> I think that changing the permissions on / would defeat the purpose = of >> /etc/devd.conf and then adding users to certain groups in /etc/group >> to make devices usable without having to escalate to root rights. >>=20 >=20 > I decided to actually test this case, since I thought I should back up > my opinion with some facts. >=20 > So, I did chmod 700 / and rebooted. >=20 > I wasn't able to login as a normal user because an error was raised > about not being able to find the root for audit (or similar wording). >=20 > After changing root back to 755 and remounting /home I could log in. >=20 > Your idea may work if all filesystems are in one big partition, I > can't really say, but on my system /, /var, /usr and /home are > separate partitions/disks. >=20 > --=20 > Gary Jennejohn
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E44AFD8B-B728-4D90-AD63-508FBA23F790>