On 2015/07/23 14:47, Theo Buehler wrote: > Since doas.conf is a `dangerous file', it seems to make sense to monitor > it daily(8). I don't know the policy on permissions in the /etc/mtree/* > files. Anything between 0400 and 0644 would seem to make sense. > /etc/sudoers used to have 0440. I suggest 0640 so that root can edit > the file (since there is no equivalent of visudo(8)) and members of > wheel can still read the policy as before.
> Index: etc/mtree/special > =================================================================== > RCS file: /cvs/src/etc/mtree/special,v > retrieving revision 1.113 > diff -u -p -r1.113 special > --- etc/mtree/special 3 Jul 2015 22:05:53 -0000 1.113 > +++ etc/mtree/special 23 Jul 2015 11:02:27 -0000 > @@ -22,6 +22,7 @@ csh.logout type=file mode=0644 uname=roo > daily type=file mode=0644 uname=root gname=wheel > daily.local type=file mode=0644 uname=root gname=wheel optional > dhcpd.conf type=file mode=0644 uname=root gname=wheel optional > +doas.conf type=file mode=0640 uname=root gname=wheel optional > dvmrpd.conf type=file mode=0600 uname=root gname=wheel optional > exports type=file mode=0644 uname=root gname=wheel optional > fbtab type=file mode=0644 uname=root gname=wheel 640 sounds sane. OK with me, we should also do this: Index: changelist =================================================================== RCS file: /cvs/src/etc/changelist,v retrieving revision 1.106 diff -u -p -r1.106 changelist --- changelist 7 Jul 2015 14:13:01 -0000 1.106 +++ changelist 23 Jul 2015 14:38:06 -0000 @@ -26,6 +26,7 @@ /etc/dhcpd.conf /etc/disktab /etc/distfile +/etc/doas.conf /etc/dvmrpd.conf /etc/ethers /etc/exports
