On Sat, Mar 08, 2003 at 01:02:13PM +0200, Birzan George Cristian wrote: > Back to the issue at hand, the default permissions on /root/, which, at > the moment, are 755. IMHO, this is a possible security problem and it > should be set to, at least, 750 (thus allowing users in the wheel group
There is no `wheel` group in a default Debian install. You're thinking BSD. That being said, Darwin (OS X is the only BSD I have access to at the moment) does lock down /var/root to 750 root:wheel. I presume that FreeBSD (at least 4.0) does as well. > comparison between said average lusers' home dirs and /root/ isn't > appropriate since, again, you should only use root for administration The FHS itself does not describe root's homedir as being anything but another home directory [1]. [1] http://www.pathname.com/fhs/2.2/fhs-3.13.html It does recommend, however, that the account ONLY be used for systems administration purposes, which implies that /root falls under the purview of Systemspace. > least, the way I understand it) why the normal users' home dirs are 755. > Furthermore, I do believe the principle of least astonishment applies > here. I expect root's files, in root's home, to be readable _only_ by > root. As a slight aside: As the FHS states, it's preferable to have all system mail and whatnot going to the appropriate, unpriv'd, user, rather than into a root mailbox. Personally, I 700 /root because putting people in the root group is wrong. That's what sudo is for, after all. (This being a Linux distro, and not possessing the concept of wheel.) Muddying the distinction between Systemspace and Userspace only serves to make the system as a whole less secure and more of a pain in the butt to admin. > 750 /root/'". I think the answer is that Debian shouldn't be broken, by > default and rely on the system administrator to fix it. We (or rather the maintainers/developers) would first need to agree that /root is something Special and not just another homedir. I would personally agree with that assertation. It should be locked down and not touched by adduser ("Would You Like To Make All Homedirs World-Readable?"). -- bda Cyberpunk is dead. Long live cyberpunk. http://mirrorshades.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
