More secure permissions for /root and /etc/sysctl.conf
Tommi Pernila
tommi.pernila at gmail.com
Sun Feb 2 20:42:56 UTC 2020
On Sun 2. Feb 2020 at 20.08, Rodney W. Grimes <freebsd-rwg at gndrsh.dnsmgr.net>
wrote:
> [ Charset UTF-8 unsupported, converting... ]
> > Ben Woods wrote on 2020/02/02 02:46:
> >
> > [...]
> > > DragonFlyBSD 5.6.2 = 700
> > > HardenedBSD build 104 = 755
> > > NetBSD 9.0 RC1 = 755
> > > OpenBSD 6.6 = 700
> > >
> > > For what it's worth, I am broadly supportive of this because I see no
> > > reason for /root to be world readable.
> >
> > +1
> >
> > I see no reason for world readable /root too.
> > We always set user's homes to 0700 (subdirs of /usr/home).
>
> Who is "We" in this context?
>
> FreeBSD's default for home directories is 755.
>
> And as I have stated before anyone who is taking group rx off
> of /root is fooling themselves as that just creates pain for
> members of group wheel who now needlessly need to su to
> see /root's files.
>
> If you have issues with group wheel being able to read /root
> you have far far bigger problems that need addressed than
> a simple chmod g-rw /root is going to fix.
>
700 for /root has it's place but i think it is a POLA violation.
I'm guessing that the majority here can agree that 755 is bit too broad?
750 should not create any problems and would be a good compromise.
-T
> --
> Rod Grimes
> rgrimes at freebsd.org
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
>
More information about the freebsd-hackers
mailing list