More secure permissions for /root and /etc/sysctl.conf
Gary Jennejohn
gljennjohn at gmail.com
Wed Jan 29 10:25:03 UTC 2020
On Wed, 29 Jan 2020 10:53:25 +0100
Gary Jennejohn <gljennjohn at gmail.com> wrote:
> On Wed, 29 Jan 2020 10:26:31 +0100
> Gordon Bergling via freebsd-hackers <freebsd-hackers at freebsd.org> wrote:
>
> > Hi,
> >
> > I recently stumbled upon the default world readable permissons of /root and
> > /etc/sysctl.conf. I think that it would be more secure to reduce the default
> > permission for /root to 0700 and to 0600 for /etc/sysctl.conf.
> >
> > I prepared a differtial for the proposed change:
> > https://reviews.freebsd.org/D23392
> >
> > What do you think?
> >
>
> I think that changing the permissions on / would defeat the purpose of
> /etc/devd.conf and then adding users to certain groups in /etc/group
> to make devices usable without having to escalate to root rights.
>
I decided to actually test this case, since I thought I should back up
my opinion with some facts.
So, I did chmod 700 / and rebooted.
I wasn't able to login as a normal user because an error was raised
about not being able to find the root for audit (or similar wording).
After changing root back to 755 and remounting /home I could log in.
Your idea may work if all filesystems are in one big partition, I
can't really say, but on my system /, /var, /usr and /home are
separate partitions/disks.
--
Gary Jennejohn
More information about the freebsd-hackers
mailing list