Re: Permissions on /root/

To: debian-security@lists.debian.org
Cc: Phil Barbier <pbarbier@rogers.com>
Subject: Re: Permissions on /root/
From: Birzan George Cristian <ymir@wolfheart.ro>
Date: Sat, 8 Mar 2003 17:58:55 +0200
Message-id: <[🔎] 20030308155855.GA14019@heimdall.wolfheart.ro>
Mail-followup-to: debian-security@lists.debian.org, Phil Barbier <pbarbier@rogers.com>
Reply-to: ymir@wolfheart.ro
In-reply-to: <[🔎] 20030308123753.GA26332@endymion.mirrorshades.net>
References: <[🔎] 20030308110213.GB11749@heimdall.wolfheart.ro> <[🔎] 20030308123753.GA26332@endymion.mirrorshades.net>

Sigh. I specifically said use the original CC: and reply to the list, not
reply to the list and CC:.

On Sat, Mar 08, 2003 at 07:37:53AM -0500, bda wrote:
> On Sat, Mar 08, 2003 at 01:02:13PM +0200, Birzan George Cristian wrote:
> > Back to the issue at hand, the default permissions on /root/, which, at
> > the moment, are 755. IMHO, this is a possible security problem and it
> > should be set to, at least, 750 (thus allowing users in the wheel group
> 
> There is no `wheel` group in a default Debian install. You're thinking
> BSD.
> 
> That being said, Darwin (OS X is the only BSD I have access to at the
> moment) does lock down /var/root to 750 root:wheel. I presume that
> FreeBSD (at least 4.0) does as well.

Sorry, I meant the root group, which is used as the wheel group. Can't
vouch for other nices since I never used any of them extensively. 

> > comparison between said average lusers' home dirs and /root/ isn't
> > appropriate since, again, you should only use root for administration
> 
> The FHS itself does not describe root's homedir as being anything but
> another home directory [1].
> 
> [1] http://www.pathname.com/fhs/2.2/fhs-3.13.html
> 
> It does recommend, however, that the account ONLY be used for systems
> administration purposes, which implies that /root falls under the
> purview of Systemspace. 
> 
> > least, the way I understand it) why the normal users' home dirs are 755.
> > Furthermore, I do believe the principle of least astonishment applies
> > here. I expect root's files, in root's home, to be readable _only_ by
> > root.
> 
> As a slight aside: As the FHS states, it's preferable to have all system
> mail and whatnot going to the appropriate, unpriv'd, user, rather than
> into a root mailbox.
> 
> Personally, I 700 /root because putting people in the root group is
> wrong. That's what sudo is for, after all. (This being a Linux distro,
> and not possessing the concept of wheel.) Muddying the distinction
> between Systemspace and Userspace only serves to make the system as a
> whole less secure and more of a pain in the butt to admin.

Read above, wheel is implemented, via PAM. What are these "Systemspace"
and "Userspace" you're talking about?

> > 750 /root/'". I think the answer is that Debian shouldn't be broken, by
> > default and rely on the system administrator to fix it.
> 
> We (or rather the maintainers/developers) would first need to agree that
> /root is something Special and not just another homedir.
> 
> I would personally agree with that assertation. 
> 
> It should be locked down and not touched by adduser ("Would You Like To
> Make All Homedirs World-Readable?").
root is not the regular user. Users need o+x on their home dirs for
Apache to be able to serve pages.

-- 
Regards,
Birzan George Cristian

Attachment: pgpM0R3_vGPdl.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Permissions on /root/
  - From: Thomas Sjögren <thomas@northernsecurity.net>

References:
- Permissions on /root/
  - From: Birzan George Cristian <ymir@wolfheart.ro>
- Re: Permissions on /root/
  - From: bda <bda@mirrorshades.net>

Prev by Date: [no subject]
Next by Date: Re: Permissions on /root/
Previous by thread: Re: Permissions on /root/
Next by thread: Re: Permissions on /root/
Index(es):
- Date
- Thread