More secure permissions for /root and /etc/sysctl.conf

[Enji Cooper]

On Mon, Feb 3, 2020 at 9:11 AM Cy Schubert <Cy.Schubert at cschubert.com> wrote:
>
> On February 2, 2020 10:08:12 AM PST, "Rodney W. Grimes" <freebsd-rwg at gndrsh.dnsmgr.net> wrote:
> >[ Charset UTF-8 unsupported, converting... ]
> >> Ben Woods wrote on 2020/02/02 02:46:
> >>
> >> [...]
> >> > DragonFlyBSD 5.6.2 = 700
> >> > HardenedBSD build 104 = 755
> >> > NetBSD 9.0 RC1 = 755
> >> > OpenBSD 6.6 = 700
> >> >
> >> > For what it's worth, I am broadly supportive of this because I see
> >no
> >> > reason for /root to be world readable.
> >>
> >> +1
> >>
> >> I see no reason for world readable /root too.
> >> We always set user's homes to 0700 (subdirs of /usr/home).
> >
> >Who is "We" in this context?
> >
> >FreeBSD's default for home directories is 755.
> >
> >And as I have stated before anyone who is taking group rx off
> >of /root is fooling themselves as that just creates pain for
> >members of group wheel who now needlessly need to su to
> >see /root's files.
> >
> >If you have issues with group wheel being able to read /root
> >you have far far bigger problems that need addressed than
> >a simple chmod g-rw /root is going to fix.
>
> Agreed.

YMMV, but Fedora Linux 31 (at least) has a more restrictive
umask/ownership set on /root by default:

$ ls -ld /root
dr-xr-x---. 6 root root 4096 Feb  3 10:06 /root
$ cat /etc/redhat-release
Fedora release 31 (Thirty One)

I'm unsure what the default setting is with OSX (/root is a symlink to
a directory under /var ).

I think this suggestion makes sense from a default security
perspective, but honestly I wouldn't fiddle with /etc/sysctl.conf at
all. The RoI is much lower and the likelihood of breaking applications
is considerably higher; having to elevate privileges just to read
/etc/sysctl.conf wouldn't be strictly required, but someone might have
implemented naive logic somewhere where it passes along "-f
/etc/sysctl.conf" by default.

Cheers,
-Enji