In message <202006041604.054g4kab098...@repo.freebsd.org>, Conrad Meyer writes: > Author: cem > Date: Thu Jun 4 16:04:19 2020 > New Revision: 361791 > URL: https://svnweb.freebsd.org/changeset/base/361791 > > Log: > Restrict default /root permissions > > Remove world-readability from the root directory. Sensitive information ma > y be > stored in /root and we diverge here from normative administrative practice, > as > well as installation defaults of other Unix-alikes. The wheel group is sti > ll > permitted to read the directory. > > 750 is no more restrictive than defaults for the rest of the open source > Unix-alike world. In particular, Ben Woods surveyed DragonFly, NetBSD, > OpenBSD, ArchLinux, CentOS, Debian, Fedora, Slackware, and Ubuntu. None ha > ve a > world-readable /root by default. > > Submitted by: Gordon Bergling <gbergling AT gmail.com> > Reviewed by: ian, myself > Discussed with: emaste (informal approval) > Relnotes: sure? > Differential Revision: https://reviews.freebsd.org/D23392 > > Modified: > head/etc/mtree/BSD.root.dist > > Modified: head/etc/mtree/BSD.root.dist > ============================================================================= > = > --- head/etc/mtree/BSD.root.dist Thu Jun 4 14:44:44 2020 (r36179 > 0) > +++ head/etc/mtree/BSD.root.dist Thu Jun 4 16:04:19 2020 (r36179 > 1) > @@ -117,7 +117,7 @@ > .. > rescue > .. > - root > + root mode=0750 > .. > sbin > .. >
Recent CIS benchmarks recommend 0700. -- Cheers, Cy Schubert <cy.schub...@cschubert.com> FreeBSD UNIX: <c...@freebsd.org> Web: https://FreeBSD.org NTP: <c...@nwtime.org> Web: https://nwtime.org The need of the many outweighs the greed of the few. _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
