More secure permissions for /root and /etc/sysctl.conf
Steffen Nurpmeso
steffen at sdaoden.eu
Fri Jan 31 18:17:10 UTC 2020
Lars Engels wrote in <20200131161347.GA33086 at e.0x20.net>:
|On Fri, Jan 31, 2020 at 02:25:35AM -0800, Rodney W. Grimes wrote:
|>>>>> I don't see the point in making this change to sysctl.conf. sysctls
|>>>>> are readable by any user. Hiding the contents of sysctl.conf \
|>>>>> does not
|>>>>> prevent unprivileged users from seeing what values have been changed
|>>>>> from the defaults; it merely makes it more tedious.
|>>>> true. but /root should be root only readable
|>>>
|>>> Based on what? What security does this provide to what part of \
|>>> the system?
|>> based on common sense
|>
|> Who's common sense, as mine and some others say this is an unneeded
|> change with no technical merit.
|>
|> You have provided no technical reasons for your requested change,
|> yet others have presented technical reasons to not make it,
|> so to try and base a support position on "common sense" is kinda moot.
|>
|> We actually discussed this at dinner tonight and no one could come up
|> with a good reason to lock /root down in such a manner unless someone
|> was storing stuff in /root that should probably not really be stored
|> there. Ie, there is a bigger problem than chmod 750 /root is going to
|> fix.
|
|/root can store config files and shell history with confidential
|information.
Absolutely. My own /root is in fact shared in between many
systems, and many scripts from /etc/ reach into /root/$HOSTNAME/,
with some generics in /root/. Practically all of that is Linux
though. But it is very nice, since i can share very, very much,
and even the hostname= comes from kernel command line parameter,
and multiplexes to entirely different setups.
efibootmgr is cool, by the way.
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
More information about the freebsd-hackers
mailing list