Restrict default /root permissions

Remove world-readability from the root directory.  Sensitive information may be
stored in /root and we diverge here from normative administrative practice, as
well as installation defaults of other Unix-alikes.  The wheel group is still
permitted to read the directory.

750 is no more restrictive than defaults for the rest of the open source
Unix-alike world.  In particular, Ben Woods surveyed DragonFly, NetBSD,
OpenBSD, ArchLinux, CentOS, Debian, Fedora, Slackware, and Ubuntu.  None have a
world-readable /root by default.

Submitted by:	Gordon Bergling <gbergling AT gmail.com>
Reviewed by:	ian, myself
Discussed with:	emaste (informal approval)
Relnotes:	sure?
Differential Revision:	https://reviews.freebsd.org/D23392
This commit is contained in:
cem 2020-06-04 16:04:19 +00:00
parent dd5a75d386
commit 425e52218c

View File

@ -117,7 +117,7 @@
..
rescue
..
root
root mode=0750
..
sbin
..