From owner-freebsd-hackers@freebsd.org  Wed Jan 29 10:29:49 2020
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7F03A1D2C13
 for <freebsd-hackers@mailman.nyi.freebsd.org>;
 Wed, 29 Jan 2020 10:29:49 +0000 (UTC)
 (envelope-from gbergling@gmail.com)
Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com
 [IPv6:2a00:1450:4864:20::32d])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4870984p70z4QKn
 for <freebsd-hackers@freebsd.org>; Wed, 29 Jan 2020 10:29:48 +0000 (UTC)
 (envelope-from gbergling@gmail.com)
Received: by mail-wm1-x32d.google.com with SMTP id g1so5583128wmh.4
 for <freebsd-hackers@freebsd.org>; Wed, 29 Jan 2020 02:29:48 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:sender:from:message-id:mime-version:subject:date
 :in-reply-to:cc:to:references;
 bh=iDWVKSDGGqi2IW4eJAyCNflDfCKx2jEBAYJrjiUzGKk=;
 b=PtLFWUuu9XmSqSBGt3cIo6tGF02xxh1VyKRapYOWfW9q72yUtuIgWxaXBSca1gXcc+
 o1couHRc/wNwNN2mh1ZN1KxzG6iqof/cKln4Nb4T/ddCl7xVnFtnFMFZgrA+J+ibQWQS
 QQEgQxt93Jq5CHxYzlX8BnBW5qEcIm21QcLF5YXx6f8LBQlKjccyocr83ISGaraIcSYy
 8N2P9l3air1M+W2lz7QrVBjVgXGQr3Jk4o3w0CuWo9nfhqSsBZTVYXDE7FWaNp286APN
 Q9VTfnoUG/mxN+MV5IwdNXgZhz4jUD2So6mVihxqtrk+5lBCC77+vhepN/0djK+DfDC5
 29Fg==
X-Gm-Message-State: APjAAAV/ZsE8N6uKq+TqJa5ZXgsLt284QELUHunaQNXXRm2TCe1qUnMv
 J7HqtUetI0LMyFK9MK56rezSS3Ph
X-Google-Smtp-Source: APXvYqycQOjo5+hk79arSulFGyRE7FB7B2FT1ro9SpdNri/HLjIvYMiPiXgcQJOmsl9lIFFBtFyeLw==
X-Received: by 2002:a1c:7f87:: with SMTP id a129mr3900227wmd.156.1580293785650; 
 Wed, 29 Jan 2020 02:29:45 -0800 (PST)
Received: from [10.0.1.114] (p4FD3AEF0.dip0.t-ipconnect.de. [79.211.174.240])
 by smtp.gmail.com with ESMTPSA id
 c2sm2259926wrp.46.2020.01.29.02.29.44
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Wed, 29 Jan 2020 02:29:45 -0800 (PST)
Sender: Gordon Bergling <gbergling@gmail.com>
From: Gordon Bergling <gbergling@googlemail.com>
Message-Id: <E44AFD8B-B728-4D90-AD63-508FBA23F790@googlemail.com>
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
Subject: Re: More secure permissions for /root and /etc/sysctl.conf
Date: Wed, 29 Jan 2020 11:29:43 +0100
In-Reply-To: <20200129112500.368610e8@ernst.home>
Cc: Gordon Bergling via freebsd-hackers <freebsd-hackers@freebsd.org>
To: Gary Jennejohn <gljennjohn@gmail.com>
References: <20200129092631.GA22505@lion.0xfce3.net>
 <20200129105325.600cddc1@ernst.home> <20200129112500.368610e8@ernst.home>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
X-Rspamd-Queue-Id: 4870984p70z4QKn
X-Spamd-Bar: /
X-Spamd-Result: default: False [0.85 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c];
 FREEMAIL_FROM(0.00)[googlemail.com]; MV_CASE(0.50)[];
 URI_COUNT_ODD(1.00)[3]; RCVD_COUNT_THREE(0.00)[3];
 TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+];
 RCPT_COUNT_TWO(0.00)[2];
 FORGED_SENDER(0.30)[gbergling@googlemail.com,gbergling@gmail.com];
 FREEMAIL_TO(0.00)[gmail.com];
 RECEIVED_SPAMHAUS_PBL(0.00)[240.174.211.79.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net
 : 127.0.0.10]; MIME_TRACE(0.00)[0:+,1:+,2:~];
 FREEMAIL_ENVFROM(0.00)[gmail.com];
 ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US];
 FROM_NEQ_ENVFROM(0.00)[gbergling@googlemail.com,gbergling@gmail.com];
 MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-0.95)[-0.953,0];
 R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[];
 DMARC_POLICY_QUARANTINE(1.50)[googlemail.com : SPF not aligned (relaxed), DKIM
 not aligned (relaxed),quarantine]; 
 NEURAL_HAM_LONG(-0.99)[-0.995,0];
 MIME_GOOD(-0.10)[multipart/alternative,text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org];
 IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 RCVD_IN_DNSWL_NONE(0.00)[d.2.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org
 : 127.0.5.0]; 
 IP_SCORE(0.00)[ip: (-9.15), ipnet: 2a00:1450::/32(-2.52), asn: 15169(-1.78),
 country: US(-0.05)]; RCVD_TLS_ALL(0.00)[]
Content-Type: text/plain;
	charset=us-ascii
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jan 2020 10:29:49 -0000

Gary,

no, you are mistaken here. Not / it is /root the home folder of the =
system administrator.

# chmod 700 /root

That is not /.

Gordon

> Am 29.01.2020 um 11:25 schrieb Gary Jennejohn <gljennjohn@gmail.com>:
>=20
> On Wed, 29 Jan 2020 10:53:25 +0100
> Gary Jennejohn <gljennjohn@gmail.com <mailto:gljennjohn@gmail.com>> =
wrote:
>=20
>> On Wed, 29 Jan 2020 10:26:31 +0100
>> Gordon Bergling via freebsd-hackers <freebsd-hackers@freebsd.org> =
wrote:
>>=20
>>> Hi,
>>>=20
>>> I recently stumbled upon the default world readable permissons of =
/root and=20
>>> /etc/sysctl.conf. I think that it would be more secure to reduce the =
default
>>> permission for /root to 0700 and to 0600 for /etc/sysctl.conf.
>>>=20
>>> I prepared a differtial for the proposed change:
>>> https://reviews.freebsd.org/D23392
>>>=20
>>> What do you think?
>>>=20
>>=20
>> I think that changing the permissions on / would defeat the purpose =
of
>> /etc/devd.conf and then adding users to certain groups in /etc/group
>> to make devices usable without having to escalate to root rights.
>>=20
>=20
> I decided to actually test this case, since I thought I should back up
> my opinion with some facts.
>=20
> So, I did chmod 700 / and rebooted.
>=20
> I wasn't able to login as a normal user because an error was raised
> about not being able to find the root for audit (or similar wording).
>=20
> After changing root back to 755 and remounting /home I could log in.
>=20
> Your idea may work if all filesystems are in one big partition, I
> can't really say, but on my system /, /var, /usr and /home are
> separate partitions/disks.
>=20
> --=20
> Gary Jennejohn