From owner-freebsd-questions@FreeBSD.ORG Fri Jun 28 08:10:12 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id D181F28E for ; Fri, 28 Jun 2013 08:10:12 +0000 (UTC) (envelope-from asv@inhio.eu) Received: from cz-prg-mx-01.inhio.eu (mail.inhio.eu [178.238.36.226]) by mx1.freebsd.org (Postfix) with ESMTP id CE0271AC9 for ; Fri, 28 Jun 2013 08:10:11 +0000 (UTC) Received: from [10.0.0.59] (unknown [84.242.85.251]) by cz-prg-mx-01.inhio.eu (Postfix) with ESMTPSA id 27AC831442; Fri, 28 Jun 2013 08:10:03 +0000 (UTC) Subject: Re: A very 'trivial' question about /root From: ASV To: "Julian H. Stacey" In-Reply-To: <201306272347.r5RNlpgG096631@fire.js.berklix.net> References: <201306272347.r5RNlpgG096631@fire.js.berklix.net> Content-Type: text/plain; charset="us-ascii" Date: Fri, 28 Jun 2013 10:10:02 +0200 Message-ID: <1372407002.6831.34.camel@blackfriar.inhio.eu> Mime-Version: 1.0 X-Mailer: Evolution 2.32.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: Polytropon , freebsd-questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jun 2013 08:10:13 -0000 Hi Julian, you played Devil's advocate well actually as I don't know which idea would be more audacious, letting httpd access files from your root dir or exporting /root via nfs. :) Both of them sound more like a lab scenario than a real one. I understand that launching a "chmod 700 /root" it's a matter of something between 1 and 3 seconds. I do also understand that I had /root closed for long time and never had the need to set permissions back loose and this triggered my point. Why is it that open? :) On Fri, 2013-06-28 at 01:47 +0200, Julian H. Stacey wrote: > Hi, Reference: > > From: ASV > > Date: Thu, 27 Jun 2013 21:39:20 +0200 > > ASV wrote: > > Thanks for your reply Polytropon, > > > > I'm using FreeBSD since few years already and I'm kind of aware of the > > "dynamics" related to permissions, many of them are common to many > > Unices. > > I agree that the installer doesn't put anything secret but as a home dir > > for the root user it's highly likely that something not intended to be > > publicly readable will end up there soon after the installation. > > Which IMHO it's true also for any other user homedir which gets created > > by default using a pretty relaxed umask 022, but that seems to be the > > default on probably any other UNIX like system I've put my hands on > > AFAIR. > > > > Don't get me wrong, since I use FreeBSD I'm just in love with it. Mine > > is just a concern about these permission defaults which look to me a bit > > too relaxed and cannot find yet a reason why not to restrict it. > > After all I believe having good default settings may make the difference > > in some circumstances and/or save time. > > > > On Thu, 2013-06-27 at 04:58 +0200, Polytropon wrote: > > > On Wed, 26 Jun 2013 23:34:41 +0200, ASV wrote: > > > > There's any reason (and should be a fairly good one) why the /root > > > > directory permissions by default are set to 755 (for sure on releases > > > > 8.0/8.1/9.0/9.1)???? > > > > > > This is the default permission for user directories, as root > > > is considered a user in this (special) case, and /root is its > > > home directory. The installer does not put anything "secret" > > > in there, but _you_ might, so there should be no issue changing > > > it to a more restricted access permission. > > > > > > Hint: When a directory is r-x for "other", then it will be > > > indexed by the locate periodic job, so users could use the > > > locate command (and also find) to look what's in there. If > > > this is not desired, change to rwx/---/---, or rwx/r-x/--- > > > if you want to allow (trusted) users of the "wheel" group > > > to read and execute stuff from that directory (maybe homemade > > > admin scripts in /root/bin that should not be "public"). > > > > > > There are few things that touch /root content. System updating > > > might be one of them, but as it is typically run as root (and > > > even in SUM), restrictive permissions above the default are > > > no problem. > > > > > > To summarize the answer for your question: It's just the default. :-) > > I'll play Devil's advocate for a moment ;-) > > One reason not to tighten ~root is because one might want > ~root/httpuserfile to be readable by httpd to access the crypted > passwords of locked web page. ... ;-) > > No not really, that's perverted, I wouldn't reccomend an > http://localhost/~root/ regardless of password locked pages or not. > > But it shows how lateral head scratching might be > appropriate before removing read perms on ~root/ . > > { A bit like wrong ownership on / can surprisingly kill AMD NFS > access } ... some unexpected constraints can take some thinking > through, It might be quickest for a number of us to just try chmod > 700 ~root for a while & see if we get trouble. > > Cheers, > Julian