More secure permissions for /root and /etc/sysctl.conf

Wed Jan 29 15:51:30 UTC 2020

On January 29, 2020 4:04:34 AM PST, David Wolfskill <david at catwhisker.org> wrote:
>On Wed, Jan 29, 2020 at 10:26:31AM +0100, Gordon Bergling via
>freebsd-hackers wrote:
>> Hi,
>> 
>> I recently stumbled upon the default world readable permissons of
>/root and 
>> /etc/sysctl.conf. I think that it would be more secure to reduce the
>default
>> permission for /root to 0700 and to 0600 for /etc/sysctl.conf.
>> 
>> I prepared a differtial for the proposed change:
>> https://reviews.freebsd.org/D23392
>> 
>> What do you think?
>> 
>> Best regards,
>> 
>> Gordon
>> ...
>
>On Wed, Jan 29, 2020 at 12:41:30PM +0100, Wojciech Puchar wrote:
>> ...
>> fully agree. i do it manually every time i build new system to create
>> tarfiles
>> ....
>
>For counterpoint, as well as a reminder of the "tools, not policy"
>catchphrase, I disagree, as I believe that doing so would increase the
>frequency of a need to escalate privilege merely to read (e.g.)
>configuration information that is not particularly "secret."
>
>For example, I have encountered systems where the administrator had
>/etc/rc.conf not-world-readable; I was needing to obtain root privilege
>way too often just to read the file... thus, for merely testing a new
>rc.d script (in a mode where it would merely report what it would have
>otherwise done).  I submit that this does rather the opposite of
>"enhancing" security.
>
>I have no objection to providing a knob to adjust such a thing for a
>local configuration, and folks who want it can select it, while those
>who don't, need not do so.
>
>Peace,
>david

The CIS  benchmark doesn't specify /root or home directory permissions however it does say umask must be 027 or better for all users.

IMO reviewing the CIS benchmark would be the first place to start.

-- 
Pardon the typos and autocorrect, small keyboard in use. 
Cy Schubert <Cy.Schubert at cschubert.com>
FreeBSD UNIX: <cy at FreeBSD.org> Web: https://www.FreeBSD.org

The need of the many outweighs the greed of the few.

Sent from my Android device with K-9 Mail. Please excuse my brevity.