My least favorite FreeBSD default: permissions for CD/DVD burning.
I get the high-minded position FreeBSD takes here, but it is also a total PITA and it seems pretty clear that if you are putting a CD/DVD in a host's tray, you have console access.
Yeah, it's pretty nuts having to study the output of camcontrol and /dev, creating a devfs ruleset, adding that to /etc/rc.conf, adding your CD drive into /etc/fstab, and then tweaking a sysctl, just to burn a CD.
I am hard-pressed to think of the security risks involved in a user being able to burn a CD. Short of some kind of highly-confidential server with no internet access, where you'd probably want the whole machine inside a locked cage anyway.
There's a cd in the tray, but we don't know who put it there. Maybe if you're logged in on a specific terminal?
I could contrive some scenarios where it would be undesirable though: Maybe if there's a rewritable (or not finalized write once) disc also in the system for something important? Let's say, a diskless system without pxe support, so it boots from a cd drive, but doesn't mount it. An unauthorized user with access to the burner could disrupt the next boot.
I get the high-minded position FreeBSD takes here, but it is also a total PITA and it seems pretty clear that if you are putting a CD/DVD in a host's tray, you have console access.