svn commit: r361791 - head/etc/mtree
Cy Schubert
Cy.Schubert at cschubert.com
Thu Jun 4 16:19:42 UTC 2020
In message <202006041604.054G4KAb098395 at repo.freebsd.org>, Conrad Meyer
writes:
> Author: cem
> Date: Thu Jun 4 16:04:19 2020
> New Revision: 361791
> URL: https://svnweb.freebsd.org/changeset/base/361791
>
> Log:
> Restrict default /root permissions
>
> Remove world-readability from the root directory. Sensitive information ma
> y be
> stored in /root and we diverge here from normative administrative practice,
> as
> well as installation defaults of other Unix-alikes. The wheel group is sti
> ll
> permitted to read the directory.
>
> 750 is no more restrictive than defaults for the rest of the open source
> Unix-alike world. In particular, Ben Woods surveyed DragonFly, NetBSD,
> OpenBSD, ArchLinux, CentOS, Debian, Fedora, Slackware, and Ubuntu. None ha
> ve a
> world-readable /root by default.
>
> Submitted by: Gordon Bergling <gbergling AT gmail.com>
> Reviewed by: ian, myself
> Discussed with: emaste (informal approval)
> Relnotes: sure?
> Differential Revision: https://reviews.freebsd.org/D23392
>
> Modified:
> head/etc/mtree/BSD.root.dist
>
> Modified: head/etc/mtree/BSD.root.dist
> =============================================================================
> =
> --- head/etc/mtree/BSD.root.dist Thu Jun 4 14:44:44 2020 (r36179
> 0)
> +++ head/etc/mtree/BSD.root.dist Thu Jun 4 16:04:19 2020 (r36179
> 1)
> @@ -117,7 +117,7 @@
> ..
> rescue
> ..
> - root
> + root mode=0750
> ..
> sbin
> ..
>
Recent CIS benchmarks recommend 0700.
--
Cheers,
Cy Schubert <Cy.Schubert at cschubert.com>
FreeBSD UNIX: <cy at FreeBSD.org> Web: https://FreeBSD.org
NTP: <cy at nwtime.org> Web: https://nwtime.org
The need of the many outweighs the greed of the few.
More information about the svn-src-all
mailing list