freebsd security - Jun 2012 - / owned by bin causes sshd to complain bad ownership

Hi freebsd-security@freebsd.org
On an 8.3-RELEASE running sshd, /var/log/auth.log 
	Jun 22 12:54:06 lapr sshd[57505]: Authentication refused:
		bad ownership or modes for directory /
Until I did
	chown 0:0 /
( It was previously
	drwxr-xr-x  25 bin   bin       1024 Jun 20 19:53 ./
)
The chown is consistent with all of 8.3 /bin also being root & not bin,

BUT

Over use of Root seems Bad. 
Our ownership scheme has degraded compared to early 1980s Unix, where
	most bin & lib files & dirs were owned by bin, except for
		- a few SUID bins that Needed root
		- occasional administrator droppings,
		  temporary accidental files that glared at the eyeball,
		  as root, cos near all else was just bin.

IMO very little in a system should be user root.

Apologies, but to guide replies :
	(after threads burnt by a troll on another list)
	I'd not appreciate replies just along the lines of
		 "It has to be to satisfy existing software". 
	I'd much rather receive replies along lines of 
		"What would be best ownership scheme, advantages &
		 disadvantages + should we change anything ?"

Cheers,
Julian
-- 
Julian Stacey, BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com
 Reply below not above, cumulative like a play script, & indent with
"> ".
 Format: Plain text. Not HTML, multipart/alternative, base64, quoted-printable.
	Mail from @yahoo dumped @berklix.  http://berklix.org/yahoo/

On Fri, Jun 22, 2012 at 03:43:47PM +0200, Julian H. Stacey
wrote:
> Hi freebsd-security@freebsd.org
> On an 8.3-RELEASE running sshd, /var/log/auth.log 
> 	Jun 22 12:54:06 lapr sshd[57505]: Authentication refused:
> 		bad ownership or modes for directory /
> Until I did
> 	chown 0:0 /
> ( It was previously
> 	drwxr-xr-x  25 bin   bin       1024 Jun 20 19:53 ./
> )
> The chown is consistent with all of 8.3 /bin also being root & not bin,
> 
> BUT
> 
> Over use of Root seems Bad. 
> Our ownership scheme has degraded compared to early 1980s Unix, where
> 	most bin & lib files & dirs were owned by bin, except for
> 		- a few SUID bins that Needed root
> 		- occasional administrator droppings,
> 		  temporary accidental files that glared at the eyeball,
> 		  as root, cos near all else was just bin.
> 
> IMO very little in a system should be user root.
> 
> Apologies, but to guide replies :
> 	(after threads burnt by a troll on another list)
> 	I'd not appreciate replies just along the lines of
> 		 "It has to be to satisfy existing software". 
> 	I'd much rather receive replies along lines of 
> 		"What would be best ownership scheme, advantages &
> 		 disadvantages + should we change anything ?"
> 
What are you currently using this in that is the cause of the problem ?

Is this a jail, physical system, VM ...

It is not really clear why you would want to change the permissions of
root:wheel of / on any of these. root is the owner of the system ... it
is pretty much a standard if not already that root owns everything so I
am not really following why.

openssh in itself... I am glad it does this. If a system has been
compromised by changing owner:group of / then it denies access to the
whole system. This is a security benefit.

Security principles are well laid out and have not changed in a long
time. Vering away from those principles will cause a LOT of
administrative overhead as most software out there can expect a sane
environment if / is root:wheel


-- 

 - (2^(N-1))

"Julian H. Stacey" <jhs@berklix.com>
writes:
> On an 8.3-RELEASE running sshd, /var/log/auth.log 
> 	Jun 22 12:54:06 lapr sshd[57505]: Authentication refused:
> 		bad ownership or modes for directory /
sshd requires that the user's authorized_keys, the directory it's in
(~/.ssh) and all its ancestor directories be owned by either the user or
root.
> Until I did
> 	chown 0:0 /
> ( It was previously
> 	drwxr-xr-x  25 bin   bin       1024 Jun 20 19:53 ./
> )
I don't see why / should be owned by bin; bin is intended for system
binaries and libraries, i.e. {,/usr}/{bin,sbin,lib,libexec}, except
those that need to be setuid or setgid.  The directories themselves
should probably still be owned by root:wheel.

DES
-- 
Dag-Erling Sm?rgrav - des@des.no

On 2012-06-22 15:43, Julian H. Stacey wrote:
> Hi freebsd-security@freebsd.org
> On an 8.3-RELEASE running sshd, /var/log/auth.log 
> 	Jun 22 12:54:06 lapr sshd[57505]: Authentication refused:
> 		bad ownership or modes for directory /
> Until I did
> 	chown 0:0 /
> ( It was previously
> 	drwxr-xr-x  25 bin   bin       1024 Jun 20 19:53 ./
> )
> The chown is consistent with all of 8.3 /bin also being root & not bin,
> 
> BUT
> 
> Over use of Root seems Bad. 
> Our ownership scheme has degraded compared to early 1980s Unix, where
> 	most bin & lib files & dirs were owned by bin, except for
> 		- a few SUID bins that Needed root
> 		- occasional administrator droppings,
> 		  temporary accidental files that glared at the eyeball,
> 		  as root, cos near all else was just bin.
> 
> IMO very little in a system should be user root.
> 
> Apologies, but to guide replies :
> 	(after threads burnt by a troll on another list)
> 	I'd not appreciate replies just along the lines of
> 		 "It has to be to satisfy existing software". 
> 	I'd much rather receive replies along lines of 
> 		"What would be best ownership scheme, advantages &
> 		 disadvantages + should we change anything ?"
> 


Hm, I just found an old Dennis_v5 release from 1974 and / was set to 0:3 which
is today root:sys and not to 2:2

If you look hard enough you will can find the v5root.tar.gz from 1974 on
unixarchive.cn-k dot de or some other mirrors ;)


--
Regards,
olli

> If you look hard enough you will can find the v5root.tar.gz from 1974 on
unixarchive.cn-k dot de or some other mirrors ;)
http://unixarchive.cn-k.de/PDP-11/Distributions/research/Dennis_v5/

This looks an interesting site, Thanks Olli :-)

Cheers,
Julian
-- 
Julian Stacey, BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com
 Reply below not above, cumulative like a play script, & indent with
"> ".
 Format: Plain text. Not HTML, multipart/alternative, base64, quoted-printable.
	Mail from @yahoo dumped @berklix.  http://berklix.org/yahoo/