Package: base-files Version: 5 Severity: normal Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu jaunty ubuntu-patch
Hello! One question that both the Ubuntu Security Team and the Server Team have fielded many times is "why is /root not mode 700?" It seems that many server admins expect this directory to be private. While the fix for them is easy, it might be nice to make this change by default. It doesn't seem like anything in the FHS or the base-files package history discusses the privacy of /root, so I couldn't find any reasons to not suggest this change. I'd like to propose that /root be shipping mode 700 for new installs. What are your thoughts? Thanks, -Kees -- Kees Cook @debian.org
diff -Nru base-files-5~/debian/700-dirs base-files-5/debian/700-dirs --- base-files-5~/debian/700-dirs 1969-12-31 16:00:00.000000000 -0800 +++ base-files-5/debian/700-dirs 2009-02-10 13:55:42.000000000 -0800 @@ -0,0 +1 @@ +root diff -Nru base-files-5~/debian/rules base-files-5/debian/rules --- base-files-5~/debian/rules 2008-12-23 10:53:36.000000000 -0800 +++ base-files-5/debian/rules 2009-02-10 13:55:31.000000000 -0800 @@ -67,6 +67,7 @@ cd debian/tmp && chmod 755 `find . -type d` cd debian/tmp && chmod 1777 `cat ../1777-dirs` cd debian/tmp && chmod 2775 `cat ../2775-dirs` + cd debian/tmp && chmod 700 `cat ../700-dirs` dpkg-gencontrol -pbase-files -isp dpkg --build debian/tmp ..
