On Sat, 8 Mar 2003, dan radom wrote:

> * Wojciech Puchar (wojtek@tensor.3miasto.net) wrote:
> > >
> > chmod 700 /root
> > 
> > by default there's no security concern, there's no secret files in /root
> > by defaults, if you wan't to put them here, chmod
> 
> I realize there there is no security concern on a fresh install.  but
> having said that I think that with root's $HOME being 755 and root's
> umask being 022 it could lead to problems.  What reasons are there not to
> set more restrictive default permissions?
> 
> I'm not saying the current way is wrong.  I'm just wondering what others
> think about this.

You're preacing what I consider security by obscurity.
Instead of actually expecting root to know what he's doing, and really
keep track of his system, you start to just try to bolt everything down,
and think that means you got more security.

I'm not going to prevent you, or anyone else, from doing this, but I
prefer to keep home directories accessible (and I consider /root to be
just another home dir), and when root does sensitive stuff, I expect him
to take appropriate action.

I'm also one of those people who still consider finger a good thing to
have enabled, and it's one thing I always turn on. I also think it's a
good idea to be able to finger root, and find out what's in his .plan, if
he have one. If you chmod /root to 700, I cannot finger him and read his
.plan. (Just to give one example of a reason I personally don't want /root
to be 700)

	Johnny

Johnny Billquist                  || "I'm on a bus
                                  ||  on a psychedelic trip
email: bqt@update.uu.se           ||  Reading murder books
pdp is alive!                     ||  tryin' to stay hip" - B. Idol