Re: Fwd: Question about a recent installation
"Norman Maurer" <[EMAIL PROTECTED]> writes: > -- Forwarded message -- > From: Norman Maurer <[EMAIL PROTECTED]> > Date: 2008/5/7 > Subject: Re: Question about a recent installation > To: Mario Vazquez <[EMAIL PROTECTED]> > > > 2008/5/6 Mario Vazquez <[EMAIL PROTECTED]>: > >> > > On May 5, 2008, at 6:17 PM, doug wrote: > > > > > > > To give limited priviledges I think sudo (as in linux??) would be > > > used. > > > > > > I concur that sudo is really a very good way of managing privileges. > > I don't even know the root passwords on the systems that I administer > > (OK, I do have them stored in a nice secured place if I ever do need > > them). > > > > Cheers, > > > > -j > > > > > > -- > > > > In fact, I use sudo for managing too. My question is not about > sudo itself, it's about the possible risks (if any) of having a > default installation (FreeBSD7-RELEASE) which assigns ownership of the > root folder to root:wheel, thus allowing anyone with wheel privileges > be able to see (and copy btw) root folder contents. > > > > I still not get the point.. If the files are create the default is a > umask of 022 anway. So if you want to protect your files in the root > folder to get accessed, use umask 066 and maybe chmod 700 /root. Perhaps more to the point of the question, there is nothing in /root on a default system which has any need of being kept secret. -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Fwd: Question about a recent installation
-- Forwarded message -- From: Norman Maurer <[EMAIL PROTECTED]> Date: 2008/5/7 Subject: Re: Question about a recent installation To: Mario Vazquez <[EMAIL PROTECTED]> 2008/5/6 Mario Vazquez <[EMAIL PROTECTED]>: > > On May 5, 2008, at 6:17 PM, doug wrote: > > > > To give limited priviledges I think sudo (as in linux??) would be > > used. > > > I concur that sudo is really a very good way of managing privileges. > I don't even know the root passwords on the systems that I administer > (OK, I do have them stored in a nice secured place if I ever do need > them). > > Cheers, > > -j > > > -- > > In fact, I use sudo for managing too. My question is not about sudo itself, it's about the possible risks (if any) of having a default installation (FreeBSD7-RELEASE) which assigns ownership of the root folder to root:wheel, thus allowing anyone with wheel privileges be able to see (and copy btw) root folder contents. > I still not get the point.. If the files are create the default is a umask of 022 anway. So if you want to protect your files in the root folder to get accessed, use umask 066 and maybe chmod 700 /root. Cheers Norman ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Question about a recent installation
On May 5, 2008, at 6:17 PM, doug wrote: > To give limited priviledges I think sudo (as in linux??) would be > used. I concur that sudo is really a very good way of managing privileges. I don't even know the root passwords on the systems that I administer (OK, I do have them stored in a nice secured place if I ever do need them). Cheers, -j -- In fact, I use sudo for managing too. My question is not about sudo itself, it's about the possible risks (if any) of having a default installation (FreeBSD7-RELEASE) which assigns ownership of the root folder to root:wheel, thus allowing anyone with wheel privileges be able to see (and copy btw) root folder contents. _ With Windows Live for mobile, your contacts travel with you. http://www.windowslive.com/mobile/overview.html?ocid=TXT_TAGLM_WL_Refresh_mobile_052008___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Question about a recent installation
On Mon, 5 May 2008, Mario Vazquez wrote: I have been using different Linux distributions for some years, and decided to give FreeBSD a try. The install was successful, but have a question about how the root account is made. Found that the root folder was created with the user/group privileges root:wheel. Is not that a kind of security risk? I know that usually only the account used by the administrator is the one, in addition to root, that belongs to the wheel group. But also I know that sometimes admins get lazy and give for limited time extra privileges just to allow someone to do something, and that's where the danger can come. Btw, that's just my opinion. _ To give limited priviledges I think sudo (as in linux??) would be used. If that does not provide enough security then kerberos could be used. In general I don't see how you main concern is unique to FreeBSD. DougD _ Make Windows Vista more reliable and secure with Windows Vista Service Pack 1. http://www.windowsvista.com/SP1?WT.mc_id=hotmailvistasp1banner yeah, sudo is. I don't have any issue in terms of functionality. But the doubt I have is if having the root folder created with ownership root:wheel can become a security issue or not. Also would like to know if there is no problem changing my root folder ownership to root:root (which will require a root group btw). Please do not top post. There is no reason for a root group. I think best practice is to have each admin keep their data in their accounts which are either allocated as name:wheel or they are defined as being in the wheel group. I do not know if sudo requires wheel membership. I do not understand the need for a root group. I think security liabilities from having a wheel group have long been worked out. What do you see as a problem? Is BSD different from linux in this regard? perhaps the latter question is an off-list topic. _ Douglas Denault http://www.safeport.com [EMAIL PROTECTED] Voice: 301-469-8766 Fax: 301-469-0601 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Question about a recent installation
On Tuesday 06 May 2008 00:08, Mario Vazquez wrote: > I have been using different Linux distributions for some years, and decided > to give FreeBSD a try. The install was successful, but have a question > about how the root account is made. Found that the root folder was created > with the user/group privileges root:wheel. Is not that a kind of security > risk? I know that usually only the account used by the administrator is > the one, in addition to root, that belongs to the wheel group. But also I > know that sometimes admins get lazy and give for limited time extra > privileges just to allow someone to do something, and that's where the > danger can come. Btw, that's just my opinion. Not sure why it would be a security risk. wheel is the group for people who are allowed to su to root, so you should probably expect members of group wheel to have (or be able to get) root privs anyway. I'm not sure whether by ``root folder'' you mean / or /root , but in either case the wheel group doesn't have write access, at least on my system,and root's umask is 022, so created files aren't writable by members of wheel either. Lazy admins, of course, are a security risk. No-one should ever be given more privileges than they need, and as others have pointed out, sudo is a good answer to this problem. (In fact the first four ports that go on every box I set up, before I even think about what the box is for, are www/lynx, sysutils/screen, ports-mgmt/portupgrade and security/sudo ). Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Question about a recent installation
On May 5, 2008, at 6:17 PM, doug wrote: To give limited priviledges I think sudo (as in linux??) would be used. I concur that sudo is really a very good way of managing privileges. I don't even know the root passwords on the systems that I administer (OK, I do have them stored in a nice secured place if I ever do need them). Cheers, -j ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Question about a recent installation
On Mon, 5 May 2008, Mario Vazquez wrote: I have been using different Linux distributions for some years, and decided to give FreeBSD a try. The install was successful, but have a question about how the root account is made. Found that the root folder was created with the user/group privileges root:wheel. Is not that a kind of security risk? I know that usually only the account used by the administrator is the one, in addition to root, that belongs to the wheel group. But also I know that sometimes admins get lazy and give for limited time extra privileges just to allow someone to do something, and that's where the danger can come. Btw, that's just my opinion. _ To give limited priviledges I think sudo (as in linux??) would be used. If that does not provide enough security then kerberos could be used. In general I don't see how you main concern is unique to FreeBSD. DougD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Question about a recent installation
I have been using different Linux distributions for some years, and decided to give FreeBSD a try. The install was successful, but have a question about how the root account is made. Found that the root folder was created with the user/group privileges root:wheel. Is not that a kind of security risk? I know that usually only the account used by the administrator is the one, in addition to root, that belongs to the wheel group. But also I know that sometimes admins get lazy and give for limited time extra privileges just to allow someone to do something, and that's where the danger can come. Btw, that's just my opinion. _ Stay in touch when you're away with Windows Live Messenger. http://www.windowslive.com/messenger/overview.html?ocid=TXT_TAGLM_WL_Refresh_messenger_052008___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
