Date: Fri, 22 Jun 2012 11:59:28 -0400 From: Jason Hellenthal <jhellenthal@dataix.net> To: "Julian H. Stacey" <jhs@berklix.com> Cc: freebsd-security@freebsd.org Subject: Re: / owned by bin causes sshd to complain bad ownership Message-ID: <20120622155928.GA9983@DataIX.net> In-Reply-To: <201206221343.q5MDhmvS045187@fire.js.berklix.net> References: <201206221343.q5MDhmvS045187@fire.js.berklix.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jun 22, 2012 at 03:43:47PM +0200, Julian H. Stacey wrote: > Hi freebsd-security@freebsd.org > On an 8.3-RELEASE running sshd, /var/log/auth.log > Jun 22 12:54:06 lapr sshd[57505]: Authentication refused: > bad ownership or modes for directory / > Until I did > chown 0:0 / > ( It was previously > drwxr-xr-x 25 bin bin 1024 Jun 20 19:53 ./ > ) > The chown is consistent with all of 8.3 /bin also being root & not bin, > > BUT > > Over use of Root seems Bad. > Our ownership scheme has degraded compared to early 1980s Unix, where > most bin & lib files & dirs were owned by bin, except for > - a few SUID bins that Needed root > - occasional administrator droppings, > temporary accidental files that glared at the eyeball, > as root, cos near all else was just bin. > > IMO very little in a system should be user root. > > Apologies, but to guide replies : > (after threads burnt by a troll on another list) > I'd not appreciate replies just along the lines of > "It has to be to satisfy existing software". > I'd much rather receive replies along lines of > "What would be best ownership scheme, advantages & > disadvantages + should we change anything ?" > What are you currently using this in that is the cause of the problem ? Is this a jail, physical system, VM ... It is not really clear why you would want to change the permissions of root:wheel of / on any of these. root is the owner of the system ... it is pretty much a standard if not already that root owns everything so I am not really following why. openssh in itself... I am glad it does this. If a system has been compromised by changing owner:group of / then it denies access to the whole system. This is a security benefit. Security principles are well laid out and have not changed in a long time. Vering away from those principles will cause a LOT of administrative overhead as most software out there can expect a sane environment if / is root:wheel -- - (2^(N-1))
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120622155928.GA9983>