Re: /root/ drwxr-xr-x? possible solution?
At 10:16 AM 8/8/2002 -0600, Georg Lehner wrote:
El mié, 07-08-2002 a las 15:00, Loren Jordan escribió:
> The adduser package asks a question during the configuration phase of the
> install of that package. It asks if you want "world readable" home
> I find it surprising that nobody has provided a patch to the specific part
> of the Debian install system to ask the question about root's directory
> them make the required changes (chmod) if needed.
Well, YOU did not provide a patch, right? ;-)
Very true... I am happy to just do the chmod manually. If any of the
maintainers for the effected packages respond back to my question, I might
just whip up the patches. This is not something that I NEED, it's just a
possible solution to keep the countless threads from popping up regarding
this subject :)
> I personally chmod 700 /root on every one of my machines and don't worry
> about the default setting. I would answer "NO" to the question asking if
> root's home directory should be world readable if that question were to be
People tend to believe, that you won't ever put *any* file into /root,
because you *never* log into the root account to "do" tings.
I'm a little curious where root's custom home brew scripts should be
put? I can't think of a good reason to make my own
/usr/local/<something>. Many of my system maintenance scripts have private
things in them like database passwords and such... Would root's ~/bin not
be acceptable place for this type of stuff? The names and contents of
these files are not necessary information for any user on the machine (if
any) so why not put them in a root:root owned, 700 mode dir such as
/root/ I can and do chmod 700/500 or 100 these files just for the fun of
it. Is it needed? Does it help? That is up for debate, just not here...
You use the sysadmins, or any other account, and us "su" in the momento
you need root access.
What about the machines that have 0 "shell users", just the guy that keeps
the box running? I use root for that so I don't need suid programs to run
via cron to do automated system maintenance from a non-root user
account. This keeps security simple as far as I am concerned. If I make
these programs available to a user account (not root), I need to start
messing with groups. The only reason to access these machines is to
troubleshoot which almost always requires reading logs and I refuse to type
sudo tail /var/log/<something> every time I need to see the log. I log in,
look around, fix things and then exit. This is exactly where what you
recommend "su" for.
Please don't think that I have a problem with you having an 'operator'
account that you 'sudo' or 'su' from. That's a good idea if you many
operators (more than 1) and want to keep track of who did what. In my
situation, if somebody breaks the box, it was "ME" that did it so I slap my
wrist and then fix the box.
The root account only exists, to give you a home when you go single user
and the like.
So starting to hide what should not be there means encouraging bad
Since when is having a directory only accessible by root a bad idea? It's
not a good idea to make /etc/shadow world readable is it? I feel that it's
ok to have the shadow file readable only by root and having /root/ only
readable by root is ok too. They can/do? contain information that no user
needs or even should NOT know.
However for "single-user" installations thinks are different then for
Servers on the Internet, and Debian should not restrict itself by en
elitee auto-perception of higly sofisticated unix administration.
Be careful with this assumption. I have several "single-user" machines
that are servers on the internet. I use iptables to restrict ssh access to
specific IP address blocks and have absolutely NO general user accounts. I
ssh in as root, do what needs done and then log out. I don't mess around
with things as these are production servers and I treat them as such. I
have lots of accounts on my workstations and development servers. I do all
sorts of things, including break things via user accounts as well as root
on these machines because uptime is not important (for testing) and it
causes no down time to any paying customers.
If there would be one more question with low priority in debconf, it'd
just be handy for a lot of users. The default should be world-readable
I agree that the default should world readable on /root/ My needs require
me to change that. Any administrator must take steps to secure their
servers against bad customers/users. This requires making decisions that
quite often require changing default settings in anything they may
install. This even goes for M$ Windoze systems too(wow!). All systems
must be audited and secured before being put into production in a secure
and reliable manner.
Throw it in, and send the patch to the maintainer! If they don't like
it, you can set up your unofficial utility package on any server, so
people who like it can download it from there.
The day I "need" this or if the maintainer of the package(s) affected
replies to me, I might just whip up the patch (as noted above).
Have a great day and remember that I am not demanding my opinions are the
only ones that don't stink... :)
To UNSUBSCRIBE, email to email@example.com
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org