More secure permissions for /root and /etc/sysctl.conf
David Wolfskill
david at catwhisker.org
Wed Jan 29 12:04:43 UTC 2020
On Wed, Jan 29, 2020 at 10:26:31AM +0100, Gordon Bergling via freebsd-hackers wrote:
> Hi,
>
> I recently stumbled upon the default world readable permissons of /root and
> /etc/sysctl.conf. I think that it would be more secure to reduce the default
> permission for /root to 0700 and to 0600 for /etc/sysctl.conf.
>
> I prepared a differtial for the proposed change:
> https://reviews.freebsd.org/D23392
>
> What do you think?
>
> Best regards,
>
> Gordon
> ...
On Wed, Jan 29, 2020 at 12:41:30PM +0100, Wojciech Puchar wrote:
> ...
> fully agree. i do it manually every time i build new system to create
> tarfiles
> ....
For counterpoint, as well as a reminder of the "tools, not policy"
catchphrase, I disagree, as I believe that doing so would increase the
frequency of a need to escalate privilege merely to read (e.g.)
configuration information that is not particularly "secret."
For example, I have encountered systems where the administrator had
/etc/rc.conf not-world-readable; I was needing to obtain root privilege
way too often just to read the file... thus, for merely testing a new
rc.d script (in a mode where it would merely report what it would have
otherwise done). I submit that this does rather the opposite of
"enhancing" security.
I have no objection to providing a knob to adjust such a thing for a
local configuration, and folks who want it can select it, while those
who don't, need not do so.
Peace,
david
--
David H. Wolfskill david at catwhisker.org
"Now, with me, there's no lying." -- Donald J. Trump ["??!?" -- me]
See http://www.catwhisker.org/~david/publickey.gpg for my public key.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 618 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20200129/652d68a6/attachment.sig>
More information about the freebsd-hackers
mailing list