[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: /root/ drwxr-xr-x? possible solution?

At 10:16 AM 8/8/2002 -0600, Georg Lehner wrote:

El mié, 07-08-2002 a las 15:00, Loren Jordan escribió:

> The adduser package asks a question during the configuration phase of the
> install of that package.  It asks if you want "world readable" home

> I find it surprising that nobody has provided a patch to the specific part
> of the Debian install system to ask the question about root's directory and
> them make the required changes (chmod) if needed.

Well, YOU did not provide a patch, right? ;-)

Very true... I am happy to just do the chmod manually. If any of the maintainers for the effected packages respond back to my question, I might just whip up the patches. This is not something that I NEED, it's just a possible solution to keep the countless threads from popping up regarding this subject :)

> I personally chmod 700 /root on every one of my machines and don't worry
> about the default setting.  I would answer "NO" to the question asking if
> root's home directory should be world readable if that question were to be
> asked.

People tend to believe, that you won't ever put *any* file into /root,
because you *never* log into the root account to "do" tings.

I'm a little curious where root's custom home brew scripts should be put? I can't think of a good reason to make my own /usr/local/<something>. Many of my system maintenance scripts have private things in them like database passwords and such... Would root's ~/bin not be acceptable place for this type of stuff? The names and contents of these files are not necessary information for any user on the machine (if any) so why not put them in a root:root owned, 700 mode dir such as /root/ I can and do chmod 700/500 or 100 these files just for the fun of it. Is it needed? Does it help? That is up for debate, just not here...

You use the sysadmins, or any other account, and us "su" in the momento
you need root access.

What about the machines that have 0 "shell users", just the guy that keeps the box running? I use root for that so I don't need suid programs to run via cron to do automated system maintenance from a non-root user account. This keeps security simple as far as I am concerned. If I make these programs available to a user account (not root), I need to start messing with groups. The only reason to access these machines is to troubleshoot which almost always requires reading logs and I refuse to type sudo tail /var/log/<something> every time I need to see the log. I log in, look around, fix things and then exit. This is exactly where what you recommend "su" for.

Please don't think that I have a problem with you having an 'operator' account that you 'sudo' or 'su' from. That's a good idea if you many operators (more than 1) and want to keep track of who did what. In my situation, if somebody breaks the box, it was "ME" that did it so I slap my wrist and then fix the box.

The root account only exists, to give you a home when you go single user
and the like.

So starting to hide what should not be there means encouraging bad

Since when is having a directory only accessible by root a bad idea? It's not a good idea to make /etc/shadow world readable is it? I feel that it's ok to have the shadow file readable only by root and having /root/ only readable by root is ok too. They can/do? contain information that no user needs or even should NOT know.

However for "single-user" installations thinks are different then for
Servers on the Internet, and Debian should not restrict itself by en
elitee auto-perception of higly sofisticated unix administration.

Be careful with this assumption. I have several "single-user" machines that are servers on the internet. I use iptables to restrict ssh access to specific IP address blocks and have absolutely NO general user accounts. I ssh in as root, do what needs done and then log out. I don't mess around with things as these are production servers and I treat them as such. I have lots of accounts on my workstations and development servers. I do all sorts of things, including break things via user accounts as well as root on these machines because uptime is not important (for testing) and it causes no down time to any paying customers.

If there would be one more question with low priority in debconf, it'd
just be handy for a lot of users.  The default should be world-readable
root directories.

I agree that the default should world readable on /root/ My needs require me to change that. Any administrator must take steps to secure their servers against bad customers/users. This requires making decisions that quite often require changing default settings in anything they may install. This even goes for M$ Windoze systems too(wow!). All systems must be audited and secured before being put into production in a secure and reliable manner.

Throw it in, and send the patch to the maintainer!  If they don't like
it, you can set up your unofficial utility package on any server, so
people who like it can download it from there.

The day I "need" this or if the maintainer of the package(s) affected replies to me, I might just whip up the patch (as noted above).

Best Regards,


Have a great day and remember that I am not demanding my opinions are the only ones that don't stink... :)


To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: