More secure permissions for /root and /etc/sysctl.conf
Gordon Bergling
gbergling at googlemail.com
Wed Jan 29 10:29:49 UTC 2020
Gary,
no, you are mistaken here. Not / it is /root the home folder of the system administrator.
# chmod 700 /root
That is not /.
Gordon
> Am 29.01.2020 um 11:25 schrieb Gary Jennejohn <gljennjohn at gmail.com>:
>
> On Wed, 29 Jan 2020 10:53:25 +0100
> Gary Jennejohn <gljennjohn at gmail.com <mailto:gljennjohn at gmail.com>> wrote:
>
>> On Wed, 29 Jan 2020 10:26:31 +0100
>> Gordon Bergling via freebsd-hackers <freebsd-hackers at freebsd.org> wrote:
>>
>>> Hi,
>>>
>>> I recently stumbled upon the default world readable permissons of /root and
>>> /etc/sysctl.conf. I think that it would be more secure to reduce the default
>>> permission for /root to 0700 and to 0600 for /etc/sysctl.conf.
>>>
>>> I prepared a differtial for the proposed change:
>>> https://reviews.freebsd.org/D23392
>>>
>>> What do you think?
>>>
>>
>> I think that changing the permissions on / would defeat the purpose of
>> /etc/devd.conf and then adding users to certain groups in /etc/group
>> to make devices usable without having to escalate to root rights.
>>
>
> I decided to actually test this case, since I thought I should back up
> my opinion with some facts.
>
> So, I did chmod 700 / and rebooted.
>
> I wasn't able to login as a normal user because an error was raised
> about not being able to find the root for audit (or similar wording).
>
> After changing root back to 755 and remounting /home I could log in.
>
> Your idea may work if all filesystems are in one big partition, I
> can't really say, but on my system /, /var, /usr and /home are
> separate partitions/disks.
>
> --
> Gary Jennejohn
More information about the freebsd-hackers
mailing list