Disallow other users from reading my $HOME
in [Debian]
|
From: Roger Leigh on 7 Jan 2010 17:30 On Thu, Jan 07, 2010 at 04:19:14PM -0500, Joey Hess wrote: > Roger Leigh wrote: > > % setfacl -m g:www-data:rx ~ ~/public_html > > Many web servers are configured to run user-supplied CGI scripts as > www-data, so this approach is not particularly secure. I have not much experience of running web servers; this was just intended as an example. However, I'm not sure why it's insecure over the alternative of having it world readable? What is the actual minimal requirement for access by the web server? Surely it's representable in some form of ACL. Once could just give execute perm to ~ and maybe additionally read as well to ~/public_html? Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
From: Sridhar M.A. on 7 Jan 2010 20:40 On Wed, Jan 06, 2010 at 11:16:16PM +0200, Dotan Cohen wrote: > What are good permissions to use for one's home directory so that > other users on the system could not read or otherwise access my files? > Is 700 too paranoid? Should it be 755 like I see so many times? Will I > have problems with 750? > In addition to using chmod as suggested by others, for securing your files, why not try using encfs on directories that you *really* want to protect from prying eyes? The added bonus is even root cannot see those files and booting off a cd also will not let others look at your files. Regards, -- Sridhar M.A. GPG KeyID : F6A35935 Fingerprint: D172 22C4 7CDC D9CD 62B5 55C1 2A69 D5D8 F6A3 5935 Sinners can repent, but stupid is forever.
From: Jon Dowland on 8 Jan 2010 05:00 On Thu, Jan 07, 2010 at 10:24:27PM +0000, Roger Leigh wrote: > Once could just give execute perm to ~ and maybe additionally > read as well to ~/public_html? Exactly right. The read to ~/public_html is not necessary if you have +x and a suitable index file underneath which is readable, but it doesn't really hurt. (some people might not want their web directories 'indexable'. Those people will not want +r, but they will also want to turn of their web server's directory indexing feature too). -- Jon Dowland
From: Alex Samad on 8 Jan 2010 15:40 On Fri, Jan 08, 2010 at 09:50:42AM +0000, Jon Dowland wrote: > On Thu, Jan 07, 2010 at 10:24:27PM +0000, Roger Leigh wrote: > > Once could just give execute perm to ~ and maybe additionally > > read as well to ~/public_html? > > Exactly right. The read to ~/public_html is not necessary if > you have +x and a suitable index file underneath which is I believe the requirement for apache is it has to be able to read from / to the destination directory. I ran into trouble one time when I change / to 0.0 750 > readable, but it doesn't really hurt. (some people might not > want their web directories 'indexable'. Those people will > not want +r, but they will also want to turn of their web > server's directory indexing feature too). > > -- "Let me put it to you bluntly. In a changing world, we want more people to have control over your own life." - George W. Bush 08/09/2004 Annandale, VA
From: Dotan Cohen on 8 Jan 2010 17:00
> In addition to using chmod as suggested by others, for securing > your files, why not try using encfs on directories that you *really* want > to protect from prying eyes? The added bonus is even root cannot see > those files and booting off a cd also will not let others look at > your files. > Thanks for the idea. I do not need that level of security, I just want to open another account on this machine so that my neighbour can send me pics of our daughters' joint birthday party over wifi! I like having the security that if some component of this machine breaks, I can mount the drive anywhere and recover the data. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org |