On Fri, Jun 22, 2012 at 03:43:47PM +0200, Julian H. Stacey wrote: > Hi freebsd-security@freebsd.org > On an 8.3-RELEASE running sshd, /var/log/auth.log > Jun 22 12:54:06 lapr sshd[57505]: Authentication refused: > bad ownership or modes for directory / > Until I did > chown 0:0 / > ( It was previously > drwxr-xr-x 25 bin bin 1024 Jun 20 19:53 ./ > ) > The chown is consistent with all of 8.3 /bin also being root & not bin, > > BUT > > Over use of Root seems Bad. > Our ownership scheme has degraded compared to early 1980s Unix, where > most bin & lib files & dirs were owned by bin, except for > - a few SUID bins that Needed root > - occasional administrator droppings, > temporary accidental files that glared at the eyeball, > as root, cos near all else was just bin. > > IMO very little in a system should be user root. > > Apologies, but to guide replies : > (after threads burnt by a troll on another list) > I'd not appreciate replies just along the lines of > "It has to be to satisfy existing software". > I'd much rather receive replies along lines of > "What would be best ownership scheme, advantages & > disadvantages + should we change anything ?" >
What are you currently using this in that is the cause of the problem ? Is this a jail, physical system, VM ... It is not really clear why you would want to change the permissions of root:wheel of / on any of these. root is the owner of the system ... it is pretty much a standard if not already that root owns everything so I am not really following why. openssh in itself... I am glad it does this. If a system has been compromised by changing owner:group of / then it denies access to the whole system. This is a security benefit. Security principles are well laid out and have not changed in a long time. Vering away from those principles will cause a LOT of administrative overhead as most software out there can expect a sane environment if / is root:wheel -- - (2^(N-1)) _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
