From owner-freebsd-security@FreeBSD.ORG Fri Jun 22 18:10:22 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8D272106566B for ; Fri, 22 Jun 2012 18:10:22 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from tower.berklix.org (tower.berklix.org [83.236.223.114]) by mx1.freebsd.org (Postfix) with ESMTP id E9EC58FC17 for ; Fri, 22 Jun 2012 18:10:21 +0000 (UTC) Received: from mart.js.berklix.net (p5DCBDCF3.dip.t-dialin.net [93.203.220.243]) (authenticated bits=0) by tower.berklix.org (8.14.2/8.14.2) with ESMTP id q5MIAIuG063337; Fri, 22 Jun 2012 18:10:19 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id q5MIA7ai009303; Fri, 22 Jun 2012 20:10:07 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.4/8.14.4) with ESMTP id q5MI9tuR054055; Fri, 22 Jun 2012 20:10:01 +0200 (CEST) (envelope-from jhs@fire.js.berklix.net) Message-Id: <201206221810.q5MI9tuR054055@fire.js.berklix.net> To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= From: "Julian H. Stacey" Organization: http://berklix.com BSD Unix Linux Consultancy, Munich Germany User-agent: EXMH on FreeBSD http://berklix.com/free/ X-URL: http://www.berklix.com In-reply-to: Your message "Fri, 22 Jun 2012 19:38:04 +0200." <86mx3v2qo3.fsf@ds4.des.no> Date: Fri, 22 Jun 2012 20:09:55 +0200 Sender: jhs@berklix.com Cc: freebsd-security@freebsd.org Subject: Re: / owned by bin causes sshd to complain bad ownership X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jun 2012 18:10:22 -0000 Hi, =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= wrote: > "Julian H. Stacey" writes: > > On an 8.3-RELEASE running sshd, /var/log/auth.log > > Jun 22 12:54:06 lapr sshd[57505]: Authentication refused: > > bad ownership or modes for directory / > > sshd requires that the user's authorized_keys, the directory it's in > (~/.ssh) and all its ancestor directories be owned by either the user or > root. Yes, I don't question the "user or" that's fine It's the final "root" I find strange. I guess whoever wrote sshd was so used to "root" they never considered "bin" could be better. > > > Until I did > > chown 0:0 / > > ( It was previously > > drwxr-xr-x 25 bin bin 1024 Jun 20 19:53 ./ > > ) > > I don't see why / should be owned by bin; Actually, I'd agree to some extent, It doesnt Need to be, would mostly look more orthogonal & optically matching alongside binary files in same directory also owned by bin. > bin is intended for system > binaries and libraries, i.e. {,/usr}/{bin,sbin,lib,libexec}, except > those that need to be setuid or setgid. Agreed. That's the why it used to be way back on Unix, & what I suggest would be better if we returned to, but at least on my systems here, all the binaries seem to be owned by root. eg currently: cd /usr/src/usr.bin/wc ; make install install -s -o root -g wheel -m 555 wc /usr/bin install -o root -g wheel -m 444 wc.1.gz /usr/share/man/man1 > The directories themselves > should probably still be owned by root:wheel. I'd prefer bin by default, though some directories eg for daemons might need root. But I'd happily compromise on just getting binaries back to be owned by bin for now. SShd is not so much what I'my targeting for now, more that sshd is how I noticed the issue of binary file ownership. > DES > -- > Dag-Erling Smørgrav - des@des.no Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com Reply below not above, cumulative like a play script, & indent with "> ". Format: Plain text. Not HTML, multipart/alternative, base64, quoted-printable. Mail from @yahoo dumped @berklix. http://berklix.org/yahoo/