Date: Wed, 18 Apr 2001 21:04:25 +0200 From: Gerhard Sittig <Gerhard.Sittig@gmx.net> To: freebsd-security@freebsd.org Subject: Re: /root and users home dir permissions Message-ID: <20010418210425.S20830@speedy.gsinet> In-Reply-To: <20010418173927.A64529@icon.icon.bg>; from v0rbiz@icon.bg on Wed, Apr 18, 2001 at 05:39:27PM %2B0300 References: <20010418173927.A64529@icon.icon.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 18, 2001 at 17:39 +0300, Victor Ivanov wrote:
>
> I noticed /root is installed with mode=0755 (and updated every
> time by installworld). It's the root home directory... some
> admins (like me) are using it for keeping sensitive data away
> from regular users. Shouldn't it be mode=0700 in
> /etc/mtree/BSD.root.dist?
a+rx on /root only means that this very directory can be listed
and entered by anybody. There might be valid reasons for doing
this (dotfiles to derive from? config files in copied form which
are of general interest? although I don't think root should have
a public_html tree. But definitely some people feel that /root
should be 0755 -- otherwise the mtree config file would look
different:).
What keeps you from putting sensitive data into a directory one
level deeper? It's basically what you do as a regular user, too.
You simply keep the secret stuff away while still allowing access
to the public and non sensitive stuff.
> Also, when adding new users their home directories should be
> protected the same way. Am I wrong?
Yes. :) I've just been through it after moving to another
server. People don't like getting stopped from looking at
others' config skeletons and public data. And everyone quickly
went to open up their $HOME.
Maybe 711 would be more appropriate. Those who know where they
want to go or which file they want to look at are free to do so
(assuming the subdir or file is executable / readable). While
those with no direction cannot list the content and look out for
what could be of interest.
But I'm afraid any configuration (completely closed, completely
open, as well as between) will have opponents ...
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010418210425.S20830>