securing /home directories
I've just installed linux for my brother. He's got roomates, they all share the same machine. I'd like to set it up so each of the /home directories is private.
I looked into /etc/skel and searched the net a bit, and LQ, but it isn't clear to me. I am wary of simply chmod 700 on /home/mickey, for example, cause this might cause problems for the system. I suppose i could create a directory, say /home/mickey/private and then do the chmod 700 there. That's a bit clumsy, each user would have to be diligent about where they put stuff. Any suggestions? Ideally the proper umask or whatever should be set automatically when a user is added... Thanks a bunch...! Im running 2.6.8 on PIII, stable. |
It shouldn't cause problems for the system. removing view access to group and world should do the trick
|
I like the way Mandrake is set up. It creates a group for each user of the same name as the user. So even if a file has group access another user can't read the files because each default group is private.
Also, you may want to change the "umask" value in $HOME/.profile. This value is used by the shell to mask permissions on new files. It is probably 0660, and 0600 may be a better value if the default group is "users". |
Quote:
|
from the adduser manpage:
Quote:
so if you want new files to have rw------- you have to use 077 |
okay i am still searching around....
I know it is a umask thing. the trouble is I don't know where to set it, so that it is global. at the moment, any user added to the system has a umask of 0022. I thought that this might be set when users are created; so I checked /etc/skel/ In /etc/skel/ there is the default file '.bash_profile' This file refers me to a file called '/etc/login.defs' This file contains a whole slew of settings. Some of the text int '/etc/login.defs' refers back to PAM. After consideration, i think i need only change settings in '/etc/login.defs'. If I want strict privacy between and amongst users (they can't see, read, delete, write to any directory in /home except theirs..!) and at the same time don't want to befuddle the system (ie. - programs updating config. files in /home) then what would be the most appropriate umask to set..?? sorry for the long sentences....:) Thanks for all of your input so far. |
normally, system config scripts don't touch any user-config files, but only the global config in /etc, so you can simply use this script:
(for individual groups with same name as user) Code:
#!/bin/bash Code:
#!/bin/bash rights rwx------ and owner root:root) now go to your home dir and call it with all subdirs as parameters Code:
cd /home hth, Flo |
Nice scripts, nice explanation.
May I suggest a small simplification?: Code:
#!/bin/bash Code:
#!/bin/bash |
Quote:
Except don't forget the -R (recursive) option for chmod. edit: P.S. On second thought, it would be better to use Code:
chmod -R go-rwx /home/user_name |
Ouch, you are right about both "-R" & "go-rwx".
|
Quote:
Thanks |
Thanks for the compliment, don't forget to incorporate anomie's ideas, the originals were deficient on those points.
How do you feel about a single script that has two modes, one for each of the user:group paradigms in use? There would either a way to set the mode or perhaps the script could detect the mode. I think automatic mode detection could be accomplished by having the script take the name of 1 known regular user as an argument & comparing its UID & GID, or grep'ing /etc/group for "^users". If it weren't so complicated, it could also compare the UID & GID of any user name found in /home. |
Quote:
|
Also be sure that you have modified /etc/adduser.conf so that it creates new user directories with the permissions that you want them to have initially. Also taking a look in /etc/skel/* is a good thing to set the umask levels.
|
I'm writing a better version of the script above, should be finished in this evening or tomorrow...
this one will include group autodetection so long, Flo |
All times are GMT -5. The time now is 11:01 AM. |