Date: Fri, 28 Jun 2013 10:10:02 +0200 From: ASV <asv@inhio.eu> To: "Julian H. Stacey" <jhs@berklix.com> Cc: Polytropon <freebsd@edvax.de>, freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: A very 'trivial' question about /root Message-ID: <1372407002.6831.34.camel@blackfriar.inhio.eu> In-Reply-To: <201306272347.r5RNlpgG096631@fire.js.berklix.net> References: <201306272347.r5RNlpgG096631@fire.js.berklix.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Julian, you played Devil's advocate well actually as I don't know which idea would be more audacious, letting httpd access files from your root dir or exporting /root via nfs. :) Both of them sound more like a lab scenario than a real one. I understand that launching a "chmod 700 /root" it's a matter of something between 1 and 3 seconds. I do also understand that I had /root closed for long time and never had the need to set permissions back loose and this triggered my point. Why is it that open? :) On Fri, 2013-06-28 at 01:47 +0200, Julian H. Stacey wrote: > Hi, Reference: > > From: ASV <asv@inhio.eu> > > Date: Thu, 27 Jun 2013 21:39:20 +0200 > > ASV wrote: > > Thanks for your reply Polytropon, > > > > I'm using FreeBSD since few years already and I'm kind of aware of the > > "dynamics" related to permissions, many of them are common to many > > Unices. > > I agree that the installer doesn't put anything secret but as a home dir > > for the root user it's highly likely that something not intended to be > > publicly readable will end up there soon after the installation. > > Which IMHO it's true also for any other user homedir which gets created > > by default using a pretty relaxed umask 022, but that seems to be the > > default on probably any other UNIX like system I've put my hands on > > AFAIR. > > > > Don't get me wrong, since I use FreeBSD I'm just in love with it. Mine > > is just a concern about these permission defaults which look to me a bit > > too relaxed and cannot find yet a reason why not to restrict it. > > After all I believe having good default settings may make the difference > > in some circumstances and/or save time. > > > > On Thu, 2013-06-27 at 04:58 +0200, Polytropon wrote: > > > On Wed, 26 Jun 2013 23:34:41 +0200, ASV wrote: > > > > There's any reason (and should be a fairly good one) why the /root > > > > directory permissions by default are set to 755 (for sure on releases > > > > 8.0/8.1/9.0/9.1)???? > > > > > > This is the default permission for user directories, as root > > > is considered a user in this (special) case, and /root is its > > > home directory. The installer does not put anything "secret" > > > in there, but _you_ might, so there should be no issue changing > > > it to a more restricted access permission. > > > > > > Hint: When a directory is r-x for "other", then it will be > > > indexed by the locate periodic job, so users could use the > > > locate command (and also find) to look what's in there. If > > > this is not desired, change to rwx/---/---, or rwx/r-x/--- > > > if you want to allow (trusted) users of the "wheel" group > > > to read and execute stuff from that directory (maybe homemade > > > admin scripts in /root/bin that should not be "public"). > > > > > > There are few things that touch /root content. System updating > > > might be one of them, but as it is typically run as root (and > > > even in SUM), restrictive permissions above the default are > > > no problem. > > > > > > To summarize the answer for your question: It's just the default. :-) > > I'll play Devil's advocate for a moment ;-) > > One reason not to tighten ~root is because one might want > ~root/httpuserfile to be readable by httpd to access the crypted > passwords of locked web page. ... ;-) > > No not really, that's perverted, I wouldn't reccomend an > http://localhost/~root/ regardless of password locked pages or not. > > But it shows how lateral head scratching might be > appropriate before removing read perms on ~root/ . > > { A bit like wrong ownership on / can surprisingly kill AMD NFS > access } ... some unexpected constraints can take some thinking > through, It might be quickest for a number of us to just try chmod > 700 ~root for a while & see if we get trouble. > > Cheers, > Julian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1372407002.6831.34.camel>