Disallow other users from reading my $HOME
in [Debian]
|
From: Jochen Schulz on 6 Jan 2010 17:50 Ken Teague: > > In his original e-mail, Mr. Cohen is looking for permissions so that other > users can not read or access his data. Correct me if I'm wrong, but that > pretty much leaves us with mode 700, umask 077. Correct me if I am wrong, but for files created inside $HOME, the umask doesn't matter if $HOME itself has mode 700. J. -- I am on the payroll of a company to whom I owe my undying gratitude. [Agree] [Disagree] <http://www.slowlydownward.com/NODATA/data_enter2.html>
From: Bob McGowan on 6 Jan 2010 18:20 Jochen Schulz wrote: > Ken Teague: >> In his original e-mail, Mr. Cohen is looking for permissions so that other >> users can not read or access his data. Correct me if I'm wrong, but that >> pretty much leaves us with mode 700, umask 077. > > Correct me if I am wrong, but for files created inside $HOME, the umask > doesn't matter if $HOME itself has mode 700. > > J. That's correct. With a home directory of 700, no one except the owner can find any files, be they directories, links, files, etc., under the home. Period. Doesn't matter what the permissions are, they can't be found. And 700 is not excessively paranoid. Since anyone can belong to a group, it is possible for the "personal" group to have other names added to it. Using 700 guarantees they have no access, if this should happen. An alternative setting I've sometimes used is 711. This allows the owner to send someone the full, spelled out, path to a file, and they can get it, but nothing else. Setting things this way could be useful, for sharing only what needs to be shared, with one caveat: experienced users know the full path for "hidden" configuration files/directories, so they would all need to change to 600 (files) or 700 (directories) to be sure they can't be compromised in some way. -- Bob McGowan -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
From: Ken Teague on 6 Jan 2010 19:10 On Wed, Jan 6, 2010 at 2:40 PM, green <greenfreedom10(a)gmail.com> wrote: > But he probably doesn't want all his files marked as executable. "chmod 700 $HOME" will change only the home directory permissions, which excludes all files that are currently present. itsme(a)testbox:~> ls -ld $HOME drwx------ 19 itsme users 4096 2009-10-13 21:38 /home/itsme itsme(a)testbox:~> ls -l $HOME total 4512 drwx------ 2 itsme users 4096 2009-03-25 18:56 Desktop -rwxr-xr-x 1 itsme users 541 2009-10-13 20:58 freespace.pl -rw-r--r-- 1 itsme users 9214 2009-07-20 19:05 stat.txt drwxr-xr-x 3 itsme users 45 2009-11-18 14:55 tmp -rw-r--r-- 1 itsme users 210964 2009-02-18 21:26 VRTSralusPatch.tar.gz -rw-r--r-- 1 itsme users 19539 2009-07-16 18:10 xmacro-pre0.3-20000911.tar.gz -rw-r--r-- 1 itsme users 4362344 2009-07-16 18:10 xnee-3.03.tar.gz itsme(a)testbox:~> su - Password: testbox:~ # su - otheruser testbox /home/otheruser> grep users /etc/group users:x:100:otheruser testbox /home/otheruser> less /home/itsme/freespace.pl /home/itsme/freespace.pl: Permission denied > $ umask 0077 > $ touch abc > $ ls -lh abc > -rw------- 1 user user 0 2010-01-06 16:36 abc umask 0077 will do exactly as you've shown. It will ensure all future files will be mode 600. If a file needs the execute bit, it should be set manually. Files that are included in an archive with the execute bit set will retain it upon expanding the archive. testbox /home/otheruser> exit logout testbox:~ # exit logout itsme(a)testbox:~> umask 0077 itsme(a)testbox:~> touch myscript.pl itsme(a)testbox:~> ls -l myscript.pl -rw------- 1 itsme users 0 2010-01-06 18:41 myscript.pl itsme(a)testbox:~> chmod 700 myscript.pl itsme(a)testbox:~> ls -l myscript.pl -rwx------ 1 itsme users 0 2010-01-06 18:41 myscript.pl itsme(a)testbox:~> tar cvjf myscript.pl.tar.bz2 myscript.pl myscript.pl itsme(a)testbox:~> ls -l mys* -rwx------ 1 itsme users 0 2010-01-06 18:41 myscript.pl -rw------- 1 itsme users 128 2010-01-06 18:42 myscript.pl.tar.bz2 itsme(a)testbox:~> rm myscript.pl itsme(a)testbox:~> tar xvjf myscript.pl.tar.bz2 myscript.pl itsme(a)testbox:~> ls -l myscript.pl -rwx------ 1 itsme users 0 2010-01-06 18:41 myscript.pl If you really want to be paranoid, you could set umask to 0277 so that all files are mode 400. > So I change my suggestion to > u=rwX,g=,o= This is an answer more suited to meet the needs of Mr. Cohen, but X is normally intended to be used with -R (recursive) so that all files that currently contain an execute bit retain that bit, and those that don't are not set to contain the execute bit. I'd simply use "chmod 700 $HOME" and call it a day. > Is that possible with numeric form (the execute bit)? Not from my research. If anyone knows, please share. -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
From: green on 6 Jan 2010 19:30 Ken Teague wrote at 2010-01-06 18:05 -0600: > On Wed, Jan 6, 2010 at 2:40 PM, green <greenfreedom10(a)gmail.com> wrote: > > But he probably doesn't want all his files marked as executable. > > "chmod 700 $HOME" will change only the home directory permissions, > which excludes all files that are currently present. > > So I change my suggestion to > > u=rwX,g=,o= > > This is an answer more suited to meet the needs of Mr. Cohen, but X is > normally intended to be used with -R (recursive) so that all files > that currently contain an execute bit retain that bit, and those that > don't are not set to contain the execute bit. I'd simply use "chmod > 700 $HOME" and call it a day. Okay, I was assuming recursion because I have a ~/public_html and symlinks from it to other files scattered in my $HOME and so a "chmod 700 $HOME" would just break stuff. Otherwise, just changing $HOME permissions is an excellent solution.
From: Ken Teague on 6 Jan 2010 20:40
On Wed, Jan 6, 2010 at 4:29 PM, green <greenfreedom10(a)gmail.com> wrote: > Okay, I was assuming recursion because I have a ~/public_html and symlinks from > it to other files scattered in my $HOME and so a "chmod 700 $HOME" would just > break stuff. Otherwise, just changing $HOME permissions is an excellent > solution. Great point. "chmod 700 $HOME" would make ~/public_html to be not so public, since, on a Debian box, apache runs under the www-data account. :) So, if Mr. Cohen has such a configuration, he would need to relocate his ~/public_html directory (along with all symlinked scripts or binaries) to a public location that can be accessed by the www-data account, and modify his apache configuration accordingly. I have an account on freeshell.net that is configured like this: [501]itsme(a)iceland:~$ ls -ld $HOME drwx------ 16 itsme arpa 1024 Oct 21 18:39 /arpa/nl/i/itsme [502]itsme(a)iceland:~$ ls -l html lrwx------ 1 itsme arpa 16 Jan 26 2009 html -> /www/am/i/itsme [503]itsme(a)iceland:~$ ls -ld /www/am/i/itsme drwxr-x--x 4 itsme nobody 512 Oct 30 19:37 /www/am/i/itsme This, to me, looks like the most elegant approach. -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org |