Re: Permissions on /root/

To: debian-security@lists.debian.org
Cc: ymir@wolfheart.ro
Subject: Re: Permissions on /root/
From: bda <bda@mirrorshades.net>
Date: Sat, 8 Mar 2003 07:37:53 -0500
Message-id: <[🔎] 20030308123753.GA26332@endymion.mirrorshades.net>
In-reply-to: <[🔎] 20030308110213.GB11749@heimdall.wolfheart.ro>
References: <[🔎] 20030308110213.GB11749@heimdall.wolfheart.ro>

On Sat, Mar 08, 2003 at 01:02:13PM +0200, Birzan George Cristian wrote:
> Back to the issue at hand, the default permissions on /root/, which, at
> the moment, are 755. IMHO, this is a possible security problem and it
> should be set to, at least, 750 (thus allowing users in the wheel group

There is no `wheel` group in a default Debian install. You're thinking
BSD.

That being said, Darwin (OS X is the only BSD I have access to at the
moment) does lock down /var/root to 750 root:wheel. I presume that
FreeBSD (at least 4.0) does as well.

> comparison between said average lusers' home dirs and /root/ isn't
> appropriate since, again, you should only use root for administration

The FHS itself does not describe root's homedir as being anything but
another home directory [1].

[1] http://www.pathname.com/fhs/2.2/fhs-3.13.html

It does recommend, however, that the account ONLY be used for systems
administration purposes, which implies that /root falls under the
purview of Systemspace. 

> least, the way I understand it) why the normal users' home dirs are 755.
> Furthermore, I do believe the principle of least astonishment applies
> here. I expect root's files, in root's home, to be readable _only_ by
> root.

As a slight aside: As the FHS states, it's preferable to have all system
mail and whatnot going to the appropriate, unpriv'd, user, rather than
into a root mailbox.

Personally, I 700 /root because putting people in the root group is
wrong. That's what sudo is for, after all. (This being a Linux distro,
and not possessing the concept of wheel.) Muddying the distinction
between Systemspace and Userspace only serves to make the system as a
whole less secure and more of a pain in the butt to admin.

> 750 /root/'". I think the answer is that Debian shouldn't be broken, by
> default and rely on the system administrator to fix it.

We (or rather the maintainers/developers) would first need to agree that
/root is something Special and not just another homedir.

I would personally agree with that assertation. 

It should be locked down and not touched by adduser ("Would You Like To
Make All Homedirs World-Readable?").
-- 
bda
Cyberpunk is dead.  Long live cyberpunk.
http://mirrorshades.org

Reply to:

Follow-Ups:
- Re: Permissions on /root/
  - From: Dale Amon <amon@vnl.com>
- Re: Permissions on /root/
  - From: Birzan George Cristian <ymir@wolfheart.ro>

References:
- Permissions on /root/
  - From: Birzan George Cristian <ymir@wolfheart.ro>

Prev by Date: Permissions on /root/
Next by Date: Re: Permissions on /root/
Previous by thread: Permissions on /root/
Next by thread: Re: Permissions on /root/
Index(es):
- Date
- Thread