Sigh. I specifically said use the original CC: and reply to the list, not reply to the list and CC:. On Sat, Mar 08, 2003 at 07:37:53AM -0500, bda wrote: > On Sat, Mar 08, 2003 at 01:02:13PM +0200, Birzan George Cristian wrote: > > Back to the issue at hand, the default permissions on /root/, which, at > > the moment, are 755. IMHO, this is a possible security problem and it > > should be set to, at least, 750 (thus allowing users in the wheel group > > There is no `wheel` group in a default Debian install. You're thinking > BSD. > > That being said, Darwin (OS X is the only BSD I have access to at the > moment) does lock down /var/root to 750 root:wheel. I presume that > FreeBSD (at least 4.0) does as well. Sorry, I meant the root group, which is used as the wheel group. Can't vouch for other nices since I never used any of them extensively. > > comparison between said average lusers' home dirs and /root/ isn't > > appropriate since, again, you should only use root for administration > > The FHS itself does not describe root's homedir as being anything but > another home directory [1]. > > [1] http://www.pathname.com/fhs/2.2/fhs-3.13.html > > It does recommend, however, that the account ONLY be used for systems > administration purposes, which implies that /root falls under the > purview of Systemspace. > > > least, the way I understand it) why the normal users' home dirs are 755. > > Furthermore, I do believe the principle of least astonishment applies > > here. I expect root's files, in root's home, to be readable _only_ by > > root. > > As a slight aside: As the FHS states, it's preferable to have all system > mail and whatnot going to the appropriate, unpriv'd, user, rather than > into a root mailbox. > > Personally, I 700 /root because putting people in the root group is > wrong. That's what sudo is for, after all. (This being a Linux distro, > and not possessing the concept of wheel.) Muddying the distinction > between Systemspace and Userspace only serves to make the system as a > whole less secure and more of a pain in the butt to admin. Read above, wheel is implemented, via PAM. What are these "Systemspace" and "Userspace" you're talking about? > > 750 /root/'". I think the answer is that Debian shouldn't be broken, by > > default and rely on the system administrator to fix it. > > We (or rather the maintainers/developers) would first need to agree that > /root is something Special and not just another homedir. > > I would personally agree with that assertation. > > It should be locked down and not touched by adduser ("Would You Like To > Make All Homedirs World-Readable?"). root is not the regular user. Users need o+x on their home dirs for Apache to be able to serve pages. -- Regards, Birzan George Cristian
Attachment:
pgpM0R3_vGPdl.pgp
Description: PGP signature