> On Wed, Jul 31, 2002 at 11:39:02PM +0200, Peter Palfrader wrote: > > On Wed, 31 Jul 2002, Thomas -Balu- Walter wrote: > > > > > # ls -lad /root/ > > > drwxr-xr-x 9 root root 4096 Jul 31 18:25 /root/ > > > > > > I wonder if /root/ shouldn't be accessible by root only per default? But > > > in which package can I find this one? Should I make a bug-report or do > > > you think this is normal? (It might be some kind of SuSE-remembrance > > > from earlier days ;) > > > > This is not the first time this comes up. > > > > short version: /root 755 is no security risk and it wont get changed > > either. If you want, set it to 0700 on your box. > > long version: search the list archives (both -user and -devel will have > > some hits I guess). > > > > > IMHO at least it should be noticed somewhere in the instalation or > something. Specially when it used to be 750 and there may be sensible > data there. > > Regards. >
Root files, IMHO, should never be publically listed. Since anything root does should be viewed as important and a security risk (making people very careful in what they do), it makes sense that the files root has, in general, will also be of high priority, important, and a security risk. In addition, I see absolutely no advantage in letting the public see the contents of root's account. I am sure nearly every high usage or publically accessable server has already got /root set to 700 or something similar for the above reasons. It follows through that in most cases there is absolutely no reason to let the public see the contents of /root/ (as mentioned above). Since I believe in security, and since making /root 700 or similar does not take away any functionality, I see no reason why it cannot be changed to the default setting. Does it not make sense to ship Debian with as much safety and security as possible, especially when it does not reduce or limit functionality? Sincerely, Jason http://www.zentek-international.com/