More secure permissions for /root and /etc/sysctl.conf
Cy Schubert
Cy.Schubert at cschubert.com
Mon Feb 3 20:27:19 UTC 2020
In message <CAGHfRMBM4QTbfCc2cpZuAobVqZH2WMxm2H5tqLDqnPLG2gGZew at mail.gmail.c
om>
, Enji Cooper writes:
> On Mon, Feb 3, 2020 at 9:11 AM Cy Schubert <Cy.Schubert at cschubert.com> wrote:
> >
> > On February 2, 2020 10:08:12 AM PST, "Rodney W. Grimes" <freebsd-rwg at gndrsh
> .dnsmgr.net> wrote:
> > >[ Charset UTF-8 unsupported, converting... ]
> > >> Ben Woods wrote on 2020/02/02 02:46:
> > >>
> > >> [...]
> > >> > DragonFlyBSD 5.6.2 = 700
> > >> > HardenedBSD build 104 = 755
> > >> > NetBSD 9.0 RC1 = 755
> > >> > OpenBSD 6.6 = 700
> > >> >
> > >> > For what it's worth, I am broadly supportive of this because I see
> > >no
> > >> > reason for /root to be world readable.
> > >>
> > >> +1
> > >>
> > >> I see no reason for world readable /root too.
> > >> We always set user's homes to 0700 (subdirs of /usr/home).
> > >
> > >Who is "We" in this context?
> > >
> > >FreeBSD's default for home directories is 755.
> > >
> > >And as I have stated before anyone who is taking group rx off
> > >of /root is fooling themselves as that just creates pain for
> > >members of group wheel who now needlessly need to su to
> > >see /root's files.
> > >
> > >If you have issues with group wheel being able to read /root
> > >you have far far bigger problems that need addressed than
> > >a simple chmod g-rw /root is going to fix.
> >
> > Agreed.
>
> YMMV, but Fedora Linux 31 (at least) has a more restrictive
> umask/ownership set on /root by default:
>
> $ ls -ld /root
> dr-xr-x---. 6 root root 4096 Feb 3 10:06 /root
> $ cat /etc/redhat-release
> Fedora release 31 (Thirty One)
>
> I'm unsure what the default setting is with OSX (/root is a symlink to
> a directory under /var ).
>
> I think this suggestion makes sense from a default security
> perspective, but honestly I wouldn't fiddle with /etc/sysctl.conf at
> all. The RoI is much lower and the likelihood of breaking applications
> is considerably higher; having to elevate privileges just to read
> /etc/sysctl.conf wouldn't be strictly required, but someone might have
> implemented naive logic somewhere where it passes along "-f
> /etc/sysctl.conf" by default.
I wouldn't either but at $JOB we do and a lot more too. Quarterly patching
invokes a policy that resets all customizations back to policy, kind of
like installworld reverts back to default. I don't agree with it but it
could be a WITH_ or WITHOUT_ option to chown and chmod all files in /home,
reset umasks, and file off all setuid bits. I don't agree with the policy
but if we must, let's make it a WITH/WITHOUT option. Or better yet, a port
that locks down a server to CIS standards.
If we are going to embark down this path, let's a) adhere to CIS and b)
make it optional.
--
Cheers,
Cy Schubert <Cy.Schubert at cschubert.com>
FreeBSD UNIX: <cy at FreeBSD.org> Web: http://www.FreeBSD.org
The need of the many outweighs the greed of the few.
More information about the freebsd-hackers
mailing list