More secure permissions for /root and /etc/sysctl.conf
Gordon Bergling
gbergling at googlemail.com
Sat Feb 1 11:43:27 UTC 2020
Hi Rodney,
first, thanks for all the input I received from various people. I updated the differential and backed out the changes to /etc/sysctl.conf. I wasn’t aware that sysctl can be invoked from anybody.
In the corrected differential [1] I changed the permission for /root to 0750 in the hope that this could be integrated into FreeBSD. I know that people shouldn’t store sensitive information in /root but I have seen it to often in the past.
Best regards,
Gordon
[1] https://reviews.freebsd.org/D23392 <https://reviews.freebsd.org/D23392>
> Am 31.01.2020 um 11:25 schrieb Rodney W. Grimes <freebsd-rwg at gndrsh.dnsmgr.net>:
>
>>>>> I don't see the point in making this change to sysctl.conf. sysctls
>>>>> are readable by any user. Hiding the contents of sysctl.conf does not
>>>>> prevent unprivileged users from seeing what values have been changed
>>>>> from the defaults; it merely makes it more tedious.
>>>> true. but /root should be root only readable
>>>
>>> Based on what? What security does this provide to what part of the system?
>> based on common sense
>
> Who's common sense, as mine and some others say this is an unneeded
> change with no technical merit.
>
> You have provided no technical reasons for your requested change,
> yet others have presented technical reasons to not make it,
> so to try and base a support position on "common sense" is kinda moot.
>
> We actually discussed this at dinner tonight and no one could come up
> with a good reason to lock /root down in such a manner unless someone
> was storing stuff in /root that should probably not really be stored
> there. Ie, there is a bigger problem than chmod 750 /root is going to
> fix.
>
>
> --
> Rod Grimes rgrimes at freebsd.org
More information about the freebsd-hackers
mailing list