Just for reference, here is the original post in this thread, which for some reason, I do not find in the reverse misc archive. ------------------------------------------------------------------- OpenBSD security could be tightened up easily Date: 2006-02-05 08:09 From: Dave Feustel <[EMAIL PROTECTED]> To: misc@ OpenBSD's handling of file permissions needs work.
Good security practice requires that root's default permission set by umask should be 077. But setting root's umask to this value breaks the package install mechanism since all files installed by root with umask 077 are unavailable to users. Also, all x11 and kde sockets are created with permissions up to and including 777 that can be restricted with no loss of functionality. I now routinely chmod all sockets in /tmp and $TMPDIR to 600 immediately upon starting up kde and have seen no errors generated by this. The problem with insecure [tp]ty allocation in kde is still not fixed as far as I know, although I see a new kdelibs in errata. (this problem occurs only in OpenBSD so far as I know), It might also be a good idea to run pf by default with the rule "block all in" to prevent intruders taking advantage of undiagnosed security problems in kde or x11. ALL of my strange problems with kde have ceased since I started running pf with this rule. Having said this, I would like to add that OpenBSD looks better than ever to me now and I recommend it highly to people I talk to. OpenBSD is the Rock upon which I build everything else. Dave Feustel
