From a35bc248fd6cfc2ebb0c6f836591637e58c2a860 Mon Sep 17 00:00:00 2001
From: Conrad Meyer <cem@FreeBSD.org>
Date: Thu, 4 Jun 2020 16:04:19 +0000
Subject: [PATCH] Restrict default /root permissions

Remove world-readability from the root directory.  Sensitive information may be
stored in /root and we diverge here from normative administrative practice, as
well as installation defaults of other Unix-alikes.  The wheel group is still
permitted to read the directory.

750 is no more restrictive than defaults for the rest of the open source
Unix-alike world.  In particular, Ben Woods surveyed DragonFly, NetBSD,
OpenBSD, ArchLinux, CentOS, Debian, Fedora, Slackware, and Ubuntu.  None have a
world-readable /root by default.

Submitted by:	Gordon Bergling <gbergling AT gmail.com>
Reviewed by:	ian, myself
Discussed with:	emaste (informal approval)
Relnotes:	sure?
Differential Revision:	https://reviews.freebsd.org/D23392
---
 etc/mtree/BSD.root.dist | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/etc/mtree/BSD.root.dist b/etc/mtree/BSD.root.dist
index a8ff6e8e85d5..f93d36a9128d 100644
--- a/etc/mtree/BSD.root.dist
+++ b/etc/mtree/BSD.root.dist
@@ -117,7 +117,7 @@
     ..
     rescue
     ..
-    root
+    root            mode=0750
     ..
     sbin
     ..