You are not logged in.
- Topics: Active | Unanswered
#1 2007-09-13 15:38:15
- olegnitz
- Member
- Registered: 2007-06-20
- Posts: 18
The "shadow" package: home directory permissions for a new user
Hi All!
The "shadow" package provides the following defaults:
"useradd -m" created home directory with 755 permissions
"adduser" created home directory with 711 permissions
I believe that home directories must be created with 700 permissions.
To achieve this I've changed UMASK from 022 to 077 in /etc/login.defs and changed defchmod from 711 to 700 in /usr/sbin/adduser.
I propose to make these changes in the "shadow" package. But before adding this feature request to http://bugs.archlinux.org/ I would like to hear your opinions, maybe there is some good reason for having current defaults?
Last edited by olegnitz (2007-09-13 15:39:17)
Offline
#2 2007-09-17 03:23:07
- kagerato
- Member
- Registered: 2007-09-10
- Posts: 45
- Website
Re: The "shadow" package: home directory permissions for a new user
Default permission of 700 on user homes would prevent users from entering or reading each other's directory contents. Even if you belong to the group "users" (which only local users do, as I recall).
Is that what most people actually want? It's more restrictive, but it's only more secure if you store sensitive unencrypted information in your home directory and other local users are accessing the machine.
When someone has physical access, you should generally assume they can become root at will. (Booting from removable media or modifying grub's boot line easily accomplishes this. You can password-protect the BIOS and GRUB, but your BIOS settings can be reset by asserting the correct pin on the motherboard or by removing the battery for a long enough period.)
What type of test case do you have in mind where 700 home directories are preferred ? I could see 750, if you were concerned about random unprivileged processes or remote users being able to look into /home .
Offline
#3 2007-09-17 08:31:24
- olegnitz
- Member
- Registered: 2007-06-20
- Posts: 18
Re: The "shadow" package: home directory permissions for a new user
Dear kagerato, thank you for your reply. I am really amazed by your position on security. What is you favourite version of Windows? ;-)
My position is: home directory must be private by default, every user who wants to make it public can do this via "chmod".
Anyway, "adduser" and "useradd" should create home directories with the same rights.
Last edited by olegnitz (2007-09-17 08:31:53)
Offline
#4 2007-09-17 09:33:26
- ezzetabi
- Member
- Registered: 2006-08-27
- Posts: 947
Re: The "shadow" package: home directory permissions for a new user
Actually the question may even be, why there are both adduser and useradd?
Offline
#5 2007-09-17 10:00:33
- olegnitz
- Member
- Registered: 2007-06-20
- Posts: 18
Re: The "shadow" package: home directory permissions for a new user
useradd is a primary tool which have its own configuration for home directory permissions in /etc/login.defs
adduser is a helper script which works in dialog mode. But also it sets home directory permissions ignoring /etc/login.defs. At least let's make adduser not to change home directory permissions set by useradd!
Offline