On Aug 23, 2018 2:34 AM, Stefan Sperling <[email protected]> wrote: > > On Wed, Aug 22, 2018 at 06:38:11PM -0700, Chris Bennett wrote: > > Well, there are probably additional reasons too, but my father happily > > runs OpenBSD. Of course, he needs to be able to turn the computer off. > > I would recommend using doas(1) to grant 'shutdown' to a particular user. > You don't want to run a web browser from an account in the operator group. > > The operator group grants permissions far beyond turning the computer off. > The group has read access to raw disk devices. Applications running as > operator can bypass filesystem permissions by reading raw disk blocks. > > $ ls -l /dev/sd0a > brw-r----- 1 root operator - 4, 0 Apr 5 22:02 /dev/sd0a > > This means for instance that secrets stored in /etc are exposed. Password > hashes, letsencrypt account keys and certs, smtp auth passwords, wifi > passwords, VPN secrets, ... > > My understanding is that operator was introduced at a time when > taking system backups required the computer to wait for tapes > being swapped by a human. These operators didn't need root but > were trusted with sensitive data. >
That makes sense. I believe I read something similar somewhere as well.
