Prev: Is OS X open source?
Next: Security bug in "sudo"
From: JF Mezei on 27 Nov 2009 07:57
Out of curiosity, on a server with multiple users, what should be the
security/ACL settings for / and /Users directories ?

I don't want jDoe to be able to "ls /Users" and see the list of user
directories, or doing a "ls /" and see directories he is not supposed to
see.

In the case of /, I do want JDoe to be able to ls /Applications though.

From the command line, does the "stat" command give me all of the
security settings of a file, or is there another one which will list the
core security, the "posix" ACLs as well as the Apple ACLs ?

It is very hard to use the finder to do these tasks for direcorties the
finder refuses to show you, so I have to use command line (which is
faster than fighting the finder).

It is a real shame that Apple didn't put a "IF" statement in the fider's
code to show ALL files when the use has administrator privileges. It
woudl have made the finder quite useful for system management. (same
with the dock which is even worse than finder).
From: Barry Margolin on 27 Nov 2009 08:55
In article <0108c7cd$0$23355$c3e8da3(a)news.astraweb.com>,
JF Mezei <jfmezei.spamnot(a)vaxination.ca> wrote:

> Out of curiosity, on a server with multiple users, what should be the
> security/ACL settings for / and /Users directories ?
>
> I don't want jDoe to be able to "ls /Users" and see the list of user
> directories, or doing a "ls /" and see directories he is not supposed to
> see.

They should should be 751, i.e. rwxr-x--x. However, this will prevent
commands like "pwd" from working, as it needs to be able to list each of
the ancestor directories.

>
> In the case of /, I do want JDoe to be able to ls /Applications though.

Execute permission on a directory allows you to access what's in it, but
not list it. So leave the permissions on /Applications alone and you
should be OK.

>
> From the command line, does the "stat" command give me all of the
> security settings of a file, or is there another one which will list the
> core security, the "posix" ACLs as well as the Apple ACLs ?

"ls -le" will show ACLs, I'm not sure about stat.

--
Barry Margolin, barmar(a)alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
From: Tom Stiller on 27 Nov 2009 09:02
In article <0108c7cd$0$23355$c3e8da3(a)news.astraweb.com>,
JF Mezei <jfmezei.spamnot(a)vaxination.ca> wrote:

> Out of curiosity, on a server with multiple users, what should be the
> security/ACL settings for / and /Users directories ?
>
> I don't want jDoe to be able to "ls /Users" and see the list of user
> directories, or doing a "ls /" and see directories he is not supposed to
> see.
>
> In the case of /, I do want JDoe to be able to ls /Applications though.
>
> From the command line, does the "stat" command give me all of the
> security settings of a file, or is there another one which will list the
> core security, the "posix" ACLs as well as the Apple ACLs ?
>
> It is very hard to use the finder to do these tasks for direcorties the
> finder refuses to show you, so I have to use command line (which is
> faster than fighting the finder).
>
> It is a real shame that Apple didn't put a "IF" statement in the fider's
> code to show ALL files when the use has administrator privileges. It
> woudl have made the finder quite useful for system management. (same
> with the dock which is even worse than finder).

Removing the "x" permission from the other and/or group permissions will
prevent ls from displaying the content of a directory, while allowing
access to explicit file by name within the directory.

--
Tom Stiller

PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3 7BDA 71ED 6496 99C0 C7CF
From: =?ISO-8859-1?Q?Kir=E1ly?= on 29 Nov 2009 18:51
Barry Margolin <barmar(a)alum.mit.edu> wrote:
> They should should be 751, i.e. rwxr-x--x. However, this will prevent
> commands like "pwd" from working, as it needs to be able to list each of
> the ancestor directories.

That'll work fine, until he uses Disk Utility to repair permissions.
Then it will be back to the default 755.

An ACL might work better.

$ sudo chmod +a "JDoe deny list,search" /Users

--
K.

Lang may your lum reek.
 | 
Pages: 1
Prev: Is OS X open source?
Next: Security bug in "sudo"