More secure permissions for /root and /etc/sysctl.conf
Gary Jennejohn
gljennjohn at gmail.com
Wed Jan 29 10:36:41 UTC 2020
On Wed, 29 Jan 2020 11:25:00 +0100
Gary Jennejohn <gljennjohn at gmail.com> wrote:
> On Wed, 29 Jan 2020 10:53:25 +0100
> Gary Jennejohn <gljennjohn at gmail.com> wrote:
>
> > On Wed, 29 Jan 2020 10:26:31 +0100
> > Gordon Bergling via freebsd-hackers <freebsd-hackers at freebsd.org> wrote:
> >
> > > Hi,
> > >
> > > I recently stumbled upon the default world readable permissons of /root and
> > > /etc/sysctl.conf. I think that it would be more secure to reduce the default
> > > permission for /root to 0700 and to 0600 for /etc/sysctl.conf.
> > >
> > > I prepared a differtial for the proposed change:
> > > https://reviews.freebsd.org/D23392
> > >
> > > What do you think?
> > >
> >
> > I think that changing the permissions on / would defeat the purpose of
> > /etc/devd.conf and then adding users to certain groups in /etc/group
> > to make devices usable without having to escalate to root rights.
> >
>
> I decided to actually test this case, since I thought I should back up
> my opinion with some facts.
>
> So, I did chmod 700 / and rebooted.
>
> I wasn't able to login as a normal user because an error was raised
> about not being able to find the root for audit (or similar wording).
>
> After changing root back to 755 and remounting /home I could log in.
>
> Your idea may work if all filesystems are in one big partition, I
> can't really say, but on my system /, /var, /usr and /home are
> separate partitions/disks.
>
Never mind. Gordon explained what he really meant. That's what I
get for not looking at the differential before responding.
Sorry for wasting bandwidth here.
--
Gary Jennejohn
More information about the freebsd-hackers
mailing list