/ owned by bin causes sshd to complain bad ownership

Jason Hellenthal jhellenthal at dataix.net
Fri Jun 22 15:59:34 UTC 2012 


On Fri, Jun 22, 2012 at 03:43:47PM +0200, Julian H. Stacey wrote:
> Hi freebsd-security at freebsd.org
> On an 8.3-RELEASE running sshd, /var/log/auth.log 
> 	Jun 22 12:54:06 lapr sshd[57505]: Authentication refused:
> 		bad ownership or modes for directory /
> Until I did
> 	chown 0:0 /
> ( It was previously
> 	drwxr-xr-x  25 bin   bin       1024 Jun 20 19:53 ./
> )
> The chown is consistent with all of 8.3 /bin also being root & not bin,
> 
> BUT
> 
> Over use of Root seems Bad. 
> Our ownership scheme has degraded compared to early 1980s Unix, where
> 	most bin & lib files & dirs were owned by bin, except for
> 		- a few SUID bins that Needed root
> 		- occasional administrator droppings,
> 		  temporary accidental files that glared at the eyeball,
> 		  as root, cos near all else was just bin.
> 
> IMO very little in a system should be user root.
> 
> Apologies, but to guide replies :
> 	(after threads burnt by a troll on another list)
> 	I'd not appreciate replies just along the lines of
> 		 "It has to be to satisfy existing software". 
> 	I'd much rather receive replies along lines of 
> 		"What would be best ownership scheme, advantages &
> 		 disadvantages + should we change anything ?"
> 

What are you currently using this in that is the cause of the problem ?

Is this a jail, physical system, VM ...

It is not really clear why you would want to change the permissions of
root:wheel of / on any of these. root is the owner of the system ... it
is pretty much a standard if not already that root owns everything so I
am not really following why.

openssh in itself... I am glad it does this. If a system has been
compromised by changing owner:group of / then it denies access to the
whole system. This is a security benefit.

Security principles are well laid out and have not changed in a long
time. Vering away from those principles will cause a LOT of
administrative overhead as most software out there can expect a sane
environment if / is root:wheel


-- 

 - (2^(N-1))

More information about the freebsd-security mailing list