Birzan George Cristian wrote: > First of all, I'd like to say that, yes, I know this was discussed > before, but no consensus was reached and the thread died. (Or at least, > the one I found by doing a quick Google search) No consensus was reached because none was possible. > Back to the issue at hand, the default permissions on /root/, which, at > the moment, are 755. IMHO, this is a possible security problem and it > should be set to, at least, 750 (thus allowing users in the wheel group > to access it). The reason behind this is simple, root is the system > administrator account, it should not be used for anything but that. > So, everything in /root/ is related, strictly to the task of > administering the machine, thus, off limits for the average luser. But in the course of doing things that you have to do as root, when do you need to create files in /root? Almost never. If you find that you are using /root frequently, then I would guess that you are doing things as root that need not be done as root. For example, someone else in this thread says he uses /root as "temporary storage" for .debs, which suggests that he is running as root when he manually downloads .debs from non-apt-gettable sources. I would argue that he should download the files in his ordinary user account, then use root only to install them. In which case, obviously the files can't be in /root, because the ordinary user account can't put them there. > A comparison between said average lusers' home dirs and /root/ isn't > appropriate since, again, you should only use root for administration > tasks and not for sharing files and what not, which is what (or at > least, the way I understand it) why the normal users' home dirs are 755. A comparison between /home/* and /root fails because root shouldn't really be using his home directory for much of anything. > Furthermore, I do believe the principle of least astonishment applies > here. I expect root's files, in root's home, to be readable _only_ by > root. Your opinion. The issue matters so little that I find neither 700 nor 755 surprising. If Debian were already setting /root to 700, that would be fine with me. But 755 is also fine. I have no particular objections to either setting. What I am responding to here is the attitude that there's something wrong with 755, and the insistence that it be changed. > Arguments against 750? A sysadmin should know what he's doing and chmod > sensitive files so that nobody can read them. As a side note, while > discussing this, somebody asked "what's stopping you from doing a 'chmod > 750 /root/'". I think the answer is that Debian shouldn't be broken, by > default and rely on the system administrator to fix it. It isn't broken, so that argument fails. > That being said, should I file a bug against base-files? No. It'll probably just get rejected anyway. Craig
Attachment:
pgpGKTBtqEN2M.pgp
Description: PGP signature