freebsd-skq/etc/mtree/BSD.root.dist
cem 425e52218c Restrict default /root permissions
Remove world-readability from the root directory.  Sensitive information may be
stored in /root and we diverge here from normative administrative practice, as
well as installation defaults of other Unix-alikes.  The wheel group is still
permitted to read the directory.

750 is no more restrictive than defaults for the rest of the open source
Unix-alike world.  In particular, Ben Woods surveyed DragonFly, NetBSD,
OpenBSD, ArchLinux, CentOS, Debian, Fedora, Slackware, and Ubuntu.  None have a
world-readable /root by default.

Submitted by:	Gordon Bergling <gbergling AT gmail.com>
Reviewed by:	ian, myself
Discussed with:	emaste (informal approval)
Relnotes:	sure?
Differential Revision:	https://reviews.freebsd.org/D23392
2020-06-04 16:04:19 +00:00

131 lines
1.8 KiB
Plaintext

# $FreeBSD$
#
# Please see the file src/etc/mtree/README before making changes to this file.
#
/set type=dir uname=root gname=wheel mode=0755
.
bin
..
boot
defaults
..
dtb
allwinner tags=package=runtime
..
overlays tags=package=runtime
..
rockchip tags=package=runtime
..
..
efi
..
firmware
..
lua
..
kernel
..
modules
..
uboot
..
zfs
..
..
dev mode=0555
..
etc
X11
..
authpf
..
autofs
..
bluetooth
..
cron.d
..
defaults
..
devd
..
dma
..
gss
..
kyua
..
mail
..
mtree
..
newsyslog.conf.d
..
ntp mode=0700
..
pam.d
..
periodic
daily
..
monthly
..
security
..
weekly
..
..
pkg
..
ppp
..
rc.conf.d
..
rc.d
..
security
..
ssh
..
ssl
..
syslog.d
..
zfs
..
..
lib
casper
..
geom
..
nvmecontrol
..
..
libexec
resolvconf
..
..
media
..
mnt
..
net
..
proc mode=0555
..
rescue
..
root mode=0750
..
sbin
..
tmp mode=01777
..
usr
..
var
..
..