More secure permissions for /root and /etc/sysctl.conf

Gary Jennejohn gljennjohn at gmail.com
Wed Jan 29 10:25:03 UTC 2020


On Wed, 29 Jan 2020 10:53:25 +0100
Gary Jennejohn <gljennjohn at gmail.com> wrote:

> On Wed, 29 Jan 2020 10:26:31 +0100
> Gordon Bergling via freebsd-hackers <freebsd-hackers at freebsd.org> wrote:
> 
> > Hi,
> > 
> > I recently stumbled upon the default world readable permissons of /root and 
> > /etc/sysctl.conf. I think that it would be more secure to reduce the default
> > permission for /root to 0700 and to 0600 for /etc/sysctl.conf.
> > 
> > I prepared a differtial for the proposed change:
> > https://reviews.freebsd.org/D23392
> > 
> > What do you think?
> >   
> 
> I think that changing the permissions on / would defeat the purpose of
> /etc/devd.conf and then adding users to certain groups in /etc/group
> to make devices usable without having to escalate to root rights.
> 

I decided to actually test this case, since I thought I should back up
my opinion with some facts.

So, I did chmod 700 / and rebooted.

I wasn't able to login as a normal user because an error was raised
about not being able to find the root for audit (or similar wording).

After changing root back to 755 and remounting /home I could log in.

Your idea may work if all filesystems are in one big partition, I
can't really say, but on my system /, /var, /usr and /home are
separate partitions/disks.

-- 
Gary Jennejohn


More information about the freebsd-hackers mailing list