LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian
User Name
Password
Debian This forum is for the discussion of Debian Linux.

Notices

Reply
 
Search this Thread
Old 10-11-2005, 11:24 PM   #1
danimalz
Member
 
Registered: Jul 2005
Location: West Coast South, USA
Distribution: debian 3.1
Posts: 257

Rep: Reputation: 36
securing /home directories


I've just installed linux for my brother. He's got roomates, they all share the same machine. I'd like to set it up so each of the /home directories is private.

I looked into /etc/skel and searched the net a bit, and LQ, but it isn't clear to me. I am wary of simply chmod 700 on /home/mickey, for example, cause this might cause problems for the system. I suppose i could create a directory, say /home/mickey/private and then do the chmod 700 there. That's a bit clumsy, each user would have to be diligent about where they put stuff.

Any suggestions? Ideally the proper umask or whatever should be set automatically when a user is added...

Thanks a bunch...!


Im running 2.6.8 on PIII, stable.
 
Old 10-12-2005, 12:18 AM   #2
korozion
Member
 
Registered: Apr 2004
Location: Canada
Distribution: Debian
Posts: 124

Rep: Reputation: 15
It shouldn't cause problems for the system. removing view access to group and world should do the trick
 
Old 10-12-2005, 12:32 AM   #3
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
I like the way Mandrake is set up. It creates a group for each user of the same name as the user. So even if a file has group access another user can't read the files because each default group is private.

Also, you may want to change the "umask" value in $HOME/.profile. This value is used by the shell to mask permissions on new files. It is probably 0660, and 0600 may be a better value if the default group is "users".
 
Old 10-12-2005, 02:31 AM   #4
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,279

Rep: Reputation: 61
Quote:
Originally posted by jschiwal
I like the way Mandrake is set up. It creates a group for each user of the same name as the user. So even if a file has group access another user can't read the files because each default group is private.

Also, you may want to change the "umask" value in $HOME/.profile. This value is used by the shell to mask permissions on new files. It is probably 0660, and 0600 may be a better value if the default group is "users".
I agree with that, I first started using mandrake over 3 years ago and found it was great that it created a user and a group with the same name, i meant that others by default couldn't read your home folder on my samba server. But when I changed to using slackware for samba everytime you added a user it would and them to the 'users' group by default, giving everyone read and execute permissions by default.
 
Old 10-12-2005, 03:47 AM   #5
doc.nice
Member
 
Registered: Oct 2004
Location: Germany
Distribution: Debian
Posts: 274

Rep: Reputation: 34
from the adduser manpage:

Quote:
By default, each user in Debian GNU/Linux is given a corresponding group with the same name and id. Usergroups allow group writable directories to be easily maintained by placing the appropriate users in the new group, setting the set-group-ID bit in the directory, and ensuring that all users use a umask of 002. If this option is turned off by setting USERGROUPS to no, all users' GIDs are set to USERS_GID. Users' groups can also be overridden from the command line with the --gid or --ingroup options to set the group by id or name, respectively.
and, btw, the umask is a bitmask of disallowed bits,
so if you want new files to have rw------- you have to use 077
 
Old 10-12-2005, 04:20 AM   #6
danimalz
Member
 
Registered: Jul 2005
Location: West Coast South, USA
Distribution: debian 3.1
Posts: 257

Original Poster
Rep: Reputation: 36
okay i am still searching around....

I know it is a umask thing. the trouble is I don't know where to set it, so that it is global.

at the moment, any user added to the system has a umask of 0022. I thought that this might be set when users are created; so I checked /etc/skel/

In /etc/skel/ there is the default file '.bash_profile' This file refers me to a file called '/etc/login.defs' This file contains a whole slew of settings. Some of the text int '/etc/login.defs' refers back to PAM.

After consideration, i think i need only change settings in '/etc/login.defs'.

If I want strict privacy between and amongst users (they can't see, read, delete, write to any directory in /home except theirs..!) and at the same time don't want to befuddle the system (ie. - programs updating config. files in /home) then what would be the most appropriate umask to set..??

sorry for the long sentences....

Thanks for all of your input so far.
 
Old 10-12-2005, 10:01 AM   #7
doc.nice
Member
 
Registered: Oct 2004
Location: Germany
Distribution: Debian
Posts: 274

Rep: Reputation: 34
normally, system config scripts don't touch any user-config files, but only the global config in /etc, so you can simply use this script:

(for individual groups with same name as user)
Code:
#!/bin/bash

while [ "$1" != ""]; do
  DIR="${$1%/}"
  chown $DIR:$DIR /home/$DIR
  chmod 770 /home/$DIR
  shift
done
or for a common group "users":
Code:
#!/bin/bash

while [ "$1" != ""]; do
  DIR="${$1%/}"
  chown $DIR:users /home/$DIR
  chmod 700 /home/$DIR
  shift
done
(call it homedir_fixrights and save it in /home with
rights rwx------ and owner root:root)

now go to your home dir and call it with all subdirs as parameters
Code:
cd /home
homedir_fixrights */
it will change ownership of every dir to the user (and group) with the same name of the directory and set the access rights to allow only the user itself (and veryone in "his" group).

hth,
Flo
 
Old 10-12-2005, 01:01 PM   #8
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 230Reputation: 230Reputation: 230
Nice scripts, nice explanation.

May I suggest a small simplification?:
Code:
#!/bin/bash
#0 homedir_fixrights  ===  fixes home directory ownership rights
##     ver. for individual groups with same name as user
#@ by "doc.nice", tweaked by "archtoad6"

for DIR in /home/*
do
  chown $DIR:$DIR /home/$DIR
  chmod 770 /home/$DIR
done
and:
Code:
#!/bin/bash
#0 homedir_fixrights  ===  fixes home directory ownership rights
##     ver.  for a common group "users"
#@ by "doc.nice", tweaked by "archtoad6"

for DIR in /home/*
do
  chown $DIR:users /home/$DIR
  chmod 700 /home/$DIR
done
as well as authorship attribution.
 
Old 10-12-2005, 01:06 PM   #9
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
I am wary of simply chmod 700 on /home/mickey
This is a fine solution, and an easy one to implement. It will accomplish what you're going for.

Except don't forget the -R (recursive) option for chmod.

edit: P.S. On second thought, it would be better to use
Code:
chmod -R go-rwx /home/user_name
No reason to give execute rights to files that don't need them.

Last edited by anomie; 10-12-2005 at 01:08 PM.
 
Old 10-12-2005, 01:19 PM   #10
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 230Reputation: 230Reputation: 230
Ouch, you are right about both "-R" & "go-rwx".
 
Old 10-12-2005, 04:21 PM   #11
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,279

Rep: Reputation: 61
Quote:
Originally posted by archtoad6
Nice scripts, nice explanation.

May I suggest a small simplification?:
Code:
#!/bin/bash
#0 homedir_fixrights  ===  fixes home directory ownership rights
##     ver. for individual groups with same name as user
#@ by "doc.nice", tweaked by "archtoad6"

for DIR in /home/*
do
  chown $DIR:$DIR /home/$DIR
  chmod 770 /home/$DIR
done
and:
Code:
#!/bin/bash
#0 homedir_fixrights  ===  fixes home directory ownership rights
##     ver.  for a common group "users"
#@ by "doc.nice", tweaked by "archtoad6"

for DIR in /home/*
do
  chown $DIR:users /home/$DIR
  chmod 700 /home/$DIR
done
as well as authorship attribution.
Nice code, I can use that
Thanks
 
Old 10-13-2005, 07:11 AM   #12
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 230Reputation: 230Reputation: 230
Thanks for the compliment, don't forget to incorporate anomie's ideas, the originals were deficient on those points.

How do you feel about a single script that has two modes, one for each of the user:group paradigms in use? There would either a way to set the mode or perhaps the script could detect the mode.

I think automatic mode detection could be accomplished by having the script take the name of 1 known regular user as an argument & comparing its UID & GID, or grep'ing /etc/group for "^users". If it weren't so complicated, it could also compare the UID & GID of any user name found in /home.
 
Old 10-13-2005, 05:10 PM   #13
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,279

Rep: Reputation: 61
Quote:
Originally posted by archtoad6
Thanks for the compliment, don't forget to incorporate anomie's ideas, the originals were deficient on those points.
Anytime, anomie's idea taken into consideration also.
 
Old 10-14-2005, 03:16 PM   #14
Wells
Member
 
Registered: Nov 2004
Location: Florida, USA
Distribution: Debian, Redhat
Posts: 383

Rep: Reputation: 31
Also be sure that you have modified /etc/adduser.conf so that it creates new user directories with the permissions that you want them to have initially. Also taking a look in /etc/skel/* is a good thing to set the umask levels.
 
Old 10-15-2005, 07:03 AM   #15
doc.nice
Member
 
Registered: Oct 2004
Location: Germany
Distribution: Debian
Posts: 274

Rep: Reputation: 34
I'm writing a better version of the script above, should be finished in this evening or tomorrow...
this one will include group autodetection

so long,
Flo
 
  


Reply

Tags
adduser, script


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache Root/Home Directory and setting up FTP for home directories? Mankind75 Linux - Newbie 6 07-23-2006 02:37 PM
encrypted home directories TomaCzar Slackware 1 05-19-2005 07:00 AM
securing users to certain directories ? lozza1978 Linux - Newbie 2 05-09-2005 10:04 PM
Securing individual directories (SSL) Trent Hatred Linux - Software 1 10-07-2004 10:50 PM
Home directories and AD authentication Kerry Davis Linux - Networking 5 07-14-2004 10:26 AM


All times are GMT -5. The time now is 12:07 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration