Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 28 Jun 2013 01:47:51 +0200
From:      "Julian H. Stacey" <jhs@berklix.com>
To:        ASV <asv@inhio.eu>
Cc:        Polytropon <freebsd@edvax.de>, freebsd-questions <freebsd-questions@freebsd.org>
Subject:   Re: A very 'trivial' question about /root 
Message-ID:  <201306272347.r5RNlpgG096631@fire.js.berklix.net>
In-Reply-To: Your message "Thu, 27 Jun 2013 21:39:20 +0200." <1372361960.6831.24.camel@blackfriar.inhio.eu> 

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Hi, Reference:
> From:		ASV <asv@inhio.eu> 
> Date:		Thu, 27 Jun 2013 21:39:20 +0200 

ASV wrote:
> Thanks for your reply Polytropon,
> 
> I'm using FreeBSD since few years already and I'm kind of aware of the
> "dynamics" related to permissions, many of them are common to many
> Unices.
> I agree that the installer doesn't put anything secret but as a home dir
> for the root user it's highly likely that something not intended to be
> publicly readable will end up there soon after the installation.
> Which IMHO it's true also for any other user homedir which gets created
> by default using a pretty relaxed umask 022, but that seems to be the
> default on probably any other UNIX like system I've put my hands on
> AFAIR. 
> 
> Don't get me wrong, since I use FreeBSD I'm just in love with it. Mine
> is just a concern about these permission defaults which look to me a bit
> too relaxed and cannot find yet a reason why not to restrict it.
> After all I believe having good default settings may make the difference
> in some circumstances and/or save time.
> 
> On Thu, 2013-06-27 at 04:58 +0200, Polytropon wrote:
> > On Wed, 26 Jun 2013 23:34:41 +0200, ASV wrote:
> > > There's any reason (and should be a fairly good one) why the /root
> > > directory permissions by default are set to 755 (for sure on releases
> > > 8.0/8.1/9.0/9.1)????
> > 
> > This is the default permission for user directories, as root
> > is considered a user in this (special) case, and /root is its
> > home directory. The installer does not put anything "secret"
> > in there, but _you_ might, so there should be no issue changing
> > it to a more restricted access permission.
> > 
> > Hint: When a directory is r-x for "other", then it will be
> > indexed by the locate periodic job, so users could use the
> > locate command (and also find) to look what's in there. If
> > this is not desired, change to rwx/---/---, or rwx/r-x/---
> > if you want to allow (trusted) users of the "wheel" group
> > to read and execute stuff from that directory (maybe homemade
> > admin scripts in /root/bin that should not be "public").
> > 
> > There are few things that touch /root content. System updating
> > might be one of them, but as it is typically run as root (and
> > even in SUM), restrictive permissions above the default are
> > no problem.
> > 
> > To summarize the answer for your question: It's just the default. :-)

I'll play Devil's advocate for a moment ;-)

  One reason not to tighten ~root is because one might want
  ~root/httpuserfile to be readable by httpd to access the crypted
  passwords of locked web page. ... ;-)

No not really, that's perverted, I wouldn't reccomend an
http://localhost/~root/ regardless of password locked pages or not.

But it shows how lateral head scratching might be
appropriate before removing read perms on ~root/ .

{ A bit like wrong ownership on / can surprisingly kill AMD NFS
access } ... some unexpected constraints can take some thinking
through, It might be quickest for a number of us to just try chmod
700 ~root for a while & see if we get trouble.

Cheers,
Julian
-- 
Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com
 Reply below not above, like a play script.  Indent old text with "> ".
 Send plain text.  No quoted-printable, HTML, base64, multipart/alternative.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?201306272347.r5RNlpgG096631>