Re: Default permissions of /home/user..

From: Chris Humphries (chris_at_burst.net)
Date: 10/25/04

  • Next message: Colin Percival: "please test: Secure ports tree updating"
    To: freebsd-security@freebsd.org
    Date: Mon, 25 Oct 2004 13:15:54 -0400
    
    

    On Saturday 23 October 2004 04:22 pm, Jesper Wallin wrote:
    > Hello..
    >
    > Sure, this works nice.. but yet, I did have to modify /usr/sbin/adduser ..
    > Also, some of you said it's bad having a homedir chmod 700, how come? Let's
    > say I use the account for coding, IRC perhaps, mail, etc.. none of those
    > things require more access than 700? All I can think of is public_html
    > which need o+x so nobody and/or www can access that directory.. I know,
    > FreeBSD isn't Linux but most Linux systems run the same programs such as
    > postfix, mysql, apache, openssh, etc.. and I know some distributions (like
    > gentoo for example) which chmod it to 700 by default.. :)
    >
    > Wouldn't it be nice to add a default option for this in adduser.conf, like
    > chmod=755? Since there seem to be more than just me asking for such
    > feature. ;)
    >

    IMO, the OS should apply the most useful permissions. If home directory
    permissions are a problem, then running a script that tightens down
    everything is more appropriate.

    I have scripts that I run on servers that apply whatever settings and
    permissions I desire, after initial creation of the user[/group] and
    directories. That includes default directory and acl setup.

    Just like a default install of the OS should never be stuck directly on the
    net, default user creation should not allow the user right after... unless
    that is what you like to do, heh.

    I do not believe this is something that should be part of the OS, but should
    be something that is part of whatever set of utilities you use and are
    required of you or your team locally.

    >
    > Best regards,
    > Jesper Wallin
    >
    > ps, thanks for all replies :D
    >
    > >> Sorry for my mistake - you use FreeBSD 5. The adduser command was
    > >> changed to
    > >> sh script in it. I do not use 5, so sorry again.
    > >>
    > >> If your /usr/sbin/adduser has in the start of lines 278 to 280 word
    > >> "_pwcmd", add something like this after line 280:
    > >> _pwcmd="$_pwcmd && chmod 700 $_home"
    > >>
    > >> Command stored in $_pwcmd is executed on line 282. The user should be
    > >> added
    > >> and homedir should be created. The addition above should chmod its
    > >> homedir to 700 (drwx------) automatically.
    > >>
    > >> !!! AGAIN, NOT TESTED !!!
    > >>
    > >> Peter Rosa
    > >
    > > Just a quick correction, you'll want to chmod $uhome not $_home. Having
    > > done that, you can consider your suggestion tested and working.
    > >
    > > Mark Magiera
    > >
    > > _______________________________________________
    > > freebsd-security@freebsd.org mailing list
    > > http://lists.freebsd.org/mailman/listinfo/freebsd-security
    > > To unsubscribe, send any mail to
    > > "freebsd-security-unsubscribe@freebsd.org"
    >
    > _______________________________________________
    > freebsd-security@freebsd.org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-security
    > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Colin Percival: "please test: Secure ports tree updating"

    Relevant Pages