LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Desktop
User Name
Password
Linux - Desktop This forum is for the discussion of all Linux Software used in a desktop context.

Notices

Reply
 
Search this Thread
Old 11-10-2009, 03:51 AM   #1
S.Lowhand
LQ Newbie
 
Registered: Jul 2009
Posts: 14

Rep: Reputation: 0
How do I *automatically* set alternative default folder permissions in Ubuntu?


Hi,

I'm an OSX user desperate to move to Ubuntu but the default folder permissions distress me greatly :-)

OSX sets the default folder structure up like this: (Correct me someone if I'm wrong...)

'Home', which is world readable.
Inside Home I have
Desktop
Documents
Library
Movies
Music
Pictures
Public
/Dropbox
Sites

All the folders inside 'Home' are locked to anyone except me, other than 'Public' which is read/write for anyone and 'Dropbox which is 'write only' for anyone.

'Sites' is the Apache folder.

This setup seems sensible to me. It's secure and private.

Ubuntu sets things up so that *everything* in the 'Home' folder is world-readable. This to me is not so clever.

Be that as it may. I _really_ don't want to argue the point but I'm desperate to find a way so that any new user I create on the box gets an OSX-like permissions setup.

Can you help me? I'm a bit of a Ubuntu evangelist and don't want a prospective Windows convert to think I'm nuts for recommending an OS which has such odd defaults.

Is there a way?

So far I have gleaned that I can create a folder/permission structure in /etc/skel which then becomes the default for a new user.

I can also change the default permissions for directories in /etc/adduser.conf

The problems I am having are:
1) I can't set the 'write only' permissions to the 'Dropbox'.

2) I can't set the permissions so that the Home folder is accessible but some folders within it are not.

The solution seems to lie with activating Access Control Lists but I fall at the first hurdle which is to always mount the relevant partition with ACL active. Then I should be able to use:
http://rofi.roger-ferrer.org/eiciel/

Any help appreciated :-)

(As an aside... Do all Linux Distros have these (what I would call...) odd default permissions?)

Slow.
 
Old 11-10-2009, 04:13 AM   #2
mwildam
Member
 
Registered: Sep 2006
Location: Vienna, Austria
Distribution: Fedora 13, Ubuntu 10.04
Posts: 52

Rep: Reputation: 15
How strange that I never noticed that....

For the group permissions that is nothing bad, because the default group is same as user id which is your personal group - but the world readable is indeed odd!
 
Old 11-10-2009, 04:52 AM   #3
evo2
Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Mostly Debian and Scientific Linux
Posts: 5,526

Rep: Reputation: 1217Reputation: 1217Reputation: 1217Reputation: 1217Reputation: 1217Reputation: 1217Reputation: 1217Reputation: 1217Reputation: 1217
Since you didn't say how you are creating users I'm not sure if this will apply.

Anyway assuming you are using the standard adduser command (at least it is standard on Debian), you can set this in /etc/adduser.conf. You need to modify the variable called
"DIR_MODE". Setting it to 700 should work.

Code:
man adduser.conf
for more info.

UGGG, I really should read the *full* post before replying :-/
Cheers,

Evo2.

Last edited by evo2; 11-10-2009 at 04:54 AM. Reason: Brain fart.
 
Old 11-11-2009, 02:03 AM   #4
mattydee
Member
 
Registered: Dec 2006
Location: Vancouver, BC
Distribution: Debian
Posts: 462

Rep: Reputation: 39
If you're really concerned about security, I would go with the DIR_MODE = 700 and then create any publicly available folders outside you home directory (I'm guessing this is what is actually going on in Mac OS). You can always symlink to them inside your home folder.

Once your directory is 700, it doesn't really matter what the perms are for the items within it. Linux defaults are 755 for directories and 644 for files, which should be fine. If they are within your 700 home, then you're good.

I wouldn't worry too much about acl for now... it'll just make things overly complicated.

So for example if you want the dropbox write only, and say it's in /somewhere/MyDropbox, then i believe you should set it 733.
 
Old 11-11-2009, 03:44 AM   #5
mwildam
Member
 
Registered: Sep 2006
Location: Vienna, Austria
Distribution: Fedora 13, Ubuntu 10.04
Posts: 52

Rep: Reputation: 15
I asked our Linux specialist in the company I am working for and he told me that services are mostly running using their own user accounts. For interoperability reasons the default might be the world readable to make sure services can access data. - But he was either not very sure.

So I only wonder if all the applications continue to work fine if I set the permissions to 700. Anyone here with experiences after changing the permissions accordingly?
 
Old 11-11-2009, 03:52 AM   #6
S.Lowhand
LQ Newbie
 
Registered: Jul 2009
Posts: 14

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by mwildam View Post
How strange that I never noticed that....

For the group permissions that is nothing bad, because the default group is same as user id which is your personal group - but the world readable is indeed odd!
mwildam,

I'm sure the vast majority of users don't know about these defaults and would be horrified if they did. I know I was...

S
 
Old 11-11-2009, 03:54 AM   #7
S.Lowhand
LQ Newbie
 
Registered: Jul 2009
Posts: 14

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by evo2 View Post
Since you didn't say how you are creating users I'm not sure if this will apply.

Anyway assuming you are using the standard adduser command (at least it is standard on Debian), you can set this in /etc/adduser.conf. You need to modify the variable called
"DIR_MODE". Setting it to 700 should work.

Code:
man adduser.conf
for more info.

UGGG, I really should read the *full* post before replying :-/
Cheers,

Evo2.
Evo2,

I'm using the regular Nautilus GUI tool to add a user.

My concern with using DIR_MODE set to 700 is that it kills sharing very effectively.

S
 
Old 11-11-2009, 03:56 AM   #8
mattydee
Member
 
Registered: Dec 2006
Location: Vancouver, BC
Distribution: Debian
Posts: 462

Rep: Reputation: 39
Quote:
Originally Posted by mwildam View Post
I asked our Linux specialist in the company I am working for and he told me that services are mostly running using their own user accounts. For interoperability reasons the default might be the world readable to make sure services can access data. - But he was either not very sure.

So I only wonder if all the applications continue to work fine if I set the permissions to 700. Anyone here with experiences after changing the permissions accordingly?
I've done this before. The only side effect is that kdm was not able to read my .face.icon so I didn't get a nice little picture next to my login name. If things are setup correctly, I can't see any problems... but who knows.
 
Old 11-11-2009, 04:17 AM   #9
S.Lowhand
LQ Newbie
 
Registered: Jul 2009
Posts: 14

Original Poster
Rep: Reputation: 0
mattydee,

Quote:
Originally Posted by mattydee View Post
If you're really concerned about security, I would go with the DIR_MODE = 700 and then create any publicly available folders outside you home directory
This is a good thought!

The problem I have is that if I install Ubuntu on a Newb's computer (Even more of a Newb than myself!) It's quite a big ask to get them to do this for themselves and for each member of their family as they create new accounts, and then set appropriate permissions.

The situation is made worse by the fact that Ubuntu has default directories named 'Public'. Logically this would infer that all other directories are 'other than Public', that is to say 'Private'. Infact all directories are 'Public'. (This is from memory, correct me if I'm wrong. I don't have my Linux box fired up just now...)

Quote:
(I'm guessing this is what is actually going on in Mac OS).
I don't think so. At least not on the face of it. I'm pretty sure OSX uses ACL.

Quote:
You can always symlink to them inside your home folder.
Also a very good idea but an even bigger ask for a newb...

Quote:
Once your directory is 700, it doesn't really matter what the perms are for the items within it. Linux defaults are 755 for directories and 644 for files, which should be fine. If they are within your 700 home, then you're good.
Understood.

Quote:
I wouldn't worry too much about acl for now... it'll just make things overly complicated.
Ok... It's just that I'd just like to find a way to get things 'Right'. Much as I detest Windows, even *they* get this right and a Windows > Linux convert has a right (I believe) to have a similar setup on their Linux box. It's just basic security.

At the moment my solution is to stop recommending Linux and this makes me pretty miserable.

Quote:
So for example if you want the dropbox write only, and say it's in /somewhere/MyDropbox, then i believe you should set it 733.
For my own box, this is definitely a workable solution. I just don't think that I could ask a convert to do it.

Is there really no workable solution using ACL?

I'm happy to do the initial (Moderately tricky) setup but after that I need everything to happen automagically.

Is
http://rofi.roger-ferrer.org/eiciel/
not going to work for me?

My plan was to create the 'Proper' permissions in /etc/skel using Eiciel and then have the setup replicated whenever a new account was created. *Seemed* like a workable solution :-)

Slow

Last edited by S.Lowhand; 11-11-2009 at 04:30 AM.
 
Old 11-11-2009, 04:27 AM   #10
S.Lowhand
LQ Newbie
 
Registered: Jul 2009
Posts: 14

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by mwildam View Post
I asked our Linux specialist in the company I am working for and he told me that services are mostly running using their own user accounts. For interoperability reasons the default might be the world readable to make sure services can access data. - But he was either not very sure.

So I only wonder if all the applications continue to work fine if I set the permissions to 700. Anyone here with experiences after changing the permissions accordingly?
mwildam,

Perhaps you have the historical reason right there.

Perhaps things would have to be substantially re-engineered to get 'Proper' permissions set.

I have been told that the reason is that historically Unix placed more emphasis on users on the box being able to collaborate than security between accounts. It was assumed that the environment was safe and that users were sufficiently savvy to set permissions on a directory they *didn't* want to share.

Personally I think this is directly opposite to what a modern-day user expects.

With the current permissions in Ubuntu, I can't see the point in having user accounts at all, other than to customise the environment. I think it's really weird...

S
 
Old 11-11-2009, 04:40 AM   #11
evo2
Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Mostly Debian and Scientific Linux
Posts: 5,526

Rep: Reputation: 1217Reputation: 1217Reputation: 1217Reputation: 1217Reputation: 1217Reputation: 1217Reputation: 1217Reputation: 1217Reputation: 1217
Quote:
Originally Posted by S.Lowhand View Post
With the current permissions in Ubuntu, I can't see the point in having user accounts at all, other than to customise the environment. I think it's really weird...
It's 755 not 777. Others can read, not write.

There are many things that Ubuntu does that I consider weird, but to me this one seems pretty normal.

Evo2.
 
Old 11-11-2009, 10:52 AM   #12
mattydee
Member
 
Registered: Dec 2006
Location: Vancouver, BC
Distribution: Debian
Posts: 462

Rep: Reputation: 39
Quote:
Originally Posted by S.Lowhand View Post
Is there really no workable solution using ACL?

I'm happy to do the initial (Moderately tricky) setup but after that I need everything to happen automagically.

Is
http://rofi.roger-ferrer.org/eiciel/
not going to work for me?

My plan was to create the 'Proper' permissions in /etc/skel using Eiciel and then have the setup replicated whenever a new account was created. *Seemed* like a workable solution :-)

Slow
Sorry, I didn't mean to imply that ACL's were a dead end in this case, just that I thought that it would be better to look at all the non-ACL solutions first. Of course, you are free to do whatever you want! This is Linux

I think your /etc/skel plan is a reasonable one. So just to be clear:
You want to use skel to setup the basic directory structure and then use acl's on the /home/user folder to make sure that all files and directories subsequently get created with the proper perms?

I don't have any experience working with /etc/skel so can't help you there. But it seems to me that you may have to modify the adduser script using acl commands (eg, setfacl -d -m o::000 /home/$USERNAME or something like that).

With this approach, you would just have to setup the /etc/skel with the directories and permissions you want, and then use the above command as the last step in the adduser process and you'd be done. New files/directories in the home folder would be created with 640 and 750. This is all theoretical off course. I haven't tested any of this.

edit: oh ya, and you would of course leave your /home/username folder to 755 (or similar) so that others could access whatever folder you DO want to share in your home.

Last edited by mattydee; 11-11-2009 at 11:03 AM. Reason: spelling
 
Old 11-11-2009, 12:03 PM   #13
lwasserm
Member
 
Registered: Mar 2008
Location: Baltimore Md
Distribution: ubuntu
Posts: 184

Rep: Reputation: 41
I believe all you really need to do is edit /etc/profile (or ~/.profile for individual users) and change "umask 022" to "umask 077" or to whatever value necessary for your needs. (This will not change any existing files, only set default permissions for files created subsequent to the change)

The umask value is a reverse mask of the desired default file creation permissions, i.e. use the permission values that you want to EXCLUDE from a new file, not the values you would hope to see in a ls -l listing. Using umask 077 gives newly created files default permissions of rw------- and directories rwx------ (Making a file executable still must be done manually)
 
Old 11-11-2009, 12:20 PM   #14
mattydee
Member
 
Registered: Dec 2006
Location: Vancouver, BC
Distribution: Debian
Posts: 462

Rep: Reputation: 39
Quote:
Originally Posted by lwasserm View Post
I believe all you really need to do is edit /etc/profile (or ~/.profile for individual users) and change "umask 022" to "umask 077" or to whatever value necessary for your needs. (This will not change any existing files, only set default permissions for files created subsequent to the change)

The umask value is a reverse mask of the desired default file creation permissions, i.e. use the permission values that you want to EXCLUDE from a new file, not the values you would hope to see in a ls -l listing. Using umask 077 gives newly created files default permissions of rw------- and directories rwx------ (Making a file executable still must be done manually)
The only problem with this is that any new files the OP creates in his public directory are now inaccessible to the public. ACL gives better per directory control over this kind of thing.
 
Old 11-11-2009, 10:37 PM   #15
exvor
Senior Member
 
Registered: Jul 2004
Location: Phoenix, Arizona
Distribution: LFS-Version SVN-20091202, Arch 2009.08
Posts: 1,496

Rep: Reputation: 68
Unfortunately this is kinda how the default security system works in Linux. Each user is only allowed to see there files unless you change the umask of course. You could create a parttion using the fat32 file system and mount it as a public drive that would allow anyone to have access to files put in there. This is however not a very good solution I would look into ACL maybe some other options like group permissions where all the users belong to a group and have access to each others files via that method.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
automatically inherit parent folder permissions when copying files teixeira Linux - Newbie 3 07-08-2008 01:21 PM
Automatically set permissions of new files created within a specific folder Lorian Linux - Desktop 2 03-03-2007 04:17 PM
Setting default permissions for folder dickohead Linux - General 1 04-17-2006 10:55 AM
FOLDER permissions change automatically Echo Kilo Linux - Newbie 5 08-21-2005 04:09 AM
Default permissions of files and folder maginotjr Slackware 2 07-29-2005 04:52 AM


All times are GMT -5. The time now is 06:24 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration