LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Desktop
User Name
Password
Linux - Desktop This forum is for the discussion of all Linux Software used in a desktop context.

Notices



Reply
 
Search this Thread
Old 12-17-2008, 03:55 PM   #16
hasanatizaz
Member
 
Registered: Nov 2007
Location: Pakistan
Distribution: Redhat and Debian
Posts: 302
Blog Entries: 1

Rep: Reputation: 34

umask usually subtracts like 0700 from 0777 = 0077
other than owner, "group and others can access"

Last edited by hasanatizaz; 12-17-2008 at 03:57 PM.
 
Old 12-17-2008, 04:03 PM   #17
mashcaster
Member
 
Registered: Dec 2008
Posts: 67

Original Poster
Rep: Reputation: 15
This is confusing.

I want the users to have secure files and folders which no one else can get too.

umask 077?
 
Old 12-17-2008, 04:04 PM   #18
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
Quote:
Originally Posted by mashcaster View Post
So if I do

umask 0700, will that fix things for when I create further new users? i.e. prevent others from seeing there folders?
No, umask is subtractive from the actual permissions. The umask you want is 077. If you want to fix the existing directories to those permissions you would type: chmod 700 /home/account

You should probably also chmod /home to 711 to prevent directory listings there.

Quote:
Originally Posted by mashcaster View Post
This is confusing.

I want the users to have secure files and folders which no one else can get too.

umask 077?
Yes.

Last edited by rweaver; 12-17-2008 at 04:06 PM. Reason: /home
 
Old 12-17-2008, 04:08 PM   #19
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
Quote:
Originally Posted by hasanatizaz View Post
you need to set
chmod 755 /home

please post the output of ls -ltr /home instead of gui so that its easier to see the permissions of default user home directories and see user and their groups.

all users home directory must be 700
Actually for what he's looking for he wants 711 for /home not 755. 755 will allow users to see the other users home directories. 711 will not.
 
Old 12-17-2008, 04:19 PM   #20
hasanatizaz
Member
 
Registered: Nov 2007
Location: Pakistan
Distribution: Redhat and Debian
Posts: 302
Blog Entries: 1

Rep: Reputation: 34
Quote:
Originally Posted by rweaver View Post
Actually for what he's looking for he wants 711 for /home not 755. 755 will allow users to see the other users home directories. 711 will not.
i am sorry i have not read that.
 
Old 12-17-2008, 04:27 PM   #21
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
Quote:
Originally Posted by hasanatizaz View Post
i am sorry i have not read that.
Just examine the permissions each grants:

755 = drwxr-xr-x
711 = drwx--x--x

755 means:
Owner - List, Create+Delete, Make Working Directory
Group - List, Make Working Directory
Everyone - List, Make Working Directory

711 means:
Owner - List, Create+Delete, Make Working Directory
Group - Make Working Directory
Everyone - Make Working Directory

Being able to change to a directory doesn't necessarily imply the need to be able to list the contents of the directory. The normal permission for the home directory are 755. However, if you want to prevent your users from being able to see the contents of the home directory you can change that to 751 (if some groups need to be able to see the contents) or 711 (if no one but the owner of the directory needs to see the contents.)
 
Old 12-17-2008, 04:37 PM   #22
hasanatizaz
Member
 
Registered: Nov 2007
Location: Pakistan
Distribution: Redhat and Debian
Posts: 302
Blog Entries: 1

Rep: Reputation: 34
thanks
 
Old 12-17-2008, 05:01 PM   #23
mashcaster
Member
 
Registered: Dec 2008
Posts: 67

Original Poster
Rep: Reputation: 15
Something is not right. I did the above and I got this?

Quote:
linux:/home/user# ls -ld /home/*
drwx--x--x 12 user user 4096 2008-12-17 21:42 /home/user
drwx--x--x 2 user2 user2 4096 2008-12-17 21:35 /home/user2
drwx--x--x 2 user3 user3 4096 2008-12-17 21:36 /home/user3
drwx--x--x 2 user4 user4 4096 2008-12-17 21:44 /home/user4
drwxr-xr-x 2 user5 user5 4096 2008-12-17 21:48 /home/user5
linux:/home/user# ls -ld /home/user/*
drwx--x--x 2 user user 4096 2008-12-17 21:34 /home/user/Desktop
-rwx--x--x 1 user user 0 2008-12-17 21:41 /home/user/new file
-rwx--x--x 1 user user 0 2008-12-17 21:42 /home/user/new file 1
-rw-r--r-- 1 user user 0 2008-12-17 21:58 /home/user/new file 2
drwx--x--x 2 user user 4096 2008-12-17 21:40 /home/user/untitled folder
drwxr-xr-x 2 user user 4096 2008-12-17 21:58 /home/user/untitled folder 1
linux:/home/user#
I then added a new user "user5" and the permissions are different. I also added "new file "2 and "untitled folder 1" to "user" and there permissions are different too??.

What is that?

Last edited by mashcaster; 12-18-2008 at 03:27 AM.
 
Old 12-18-2008, 04:00 AM   #24
mashcaster
Member
 
Registered: Dec 2008
Posts: 67

Original Poster
Rep: Reputation: 15
I think

chmod -R 0700 /home/

is better. It gives me

linux:/home/user# ls -ld /home/*
drwx------ 12 user user 4096 2008-12-17 21:42 /home/user
drwx------ 2 user2 user2 4096 2008-12-17 21:35 /home/user2
drwx------ 2 user3 user3 4096 2008-12-17 21:36 /home/user3
drwx------ 2 user4 user4 4096 2008-12-17 21:44 /home/user4
drwx------ 2 user5 user5 4096 2008-12-17 21:48 /home/user5
linux:/home/user# ls -ld /home/user/*
drwx------ 2 user user 4096 2008-12-17 21:34 /home/user/Desktop
-rwx------ 1 user user 0 2008-12-17 21:41 /home/user/new file
-rwx------ 1 user user 0 2008-12-17 21:42 /home/user/new file 1
-rwx------ 1 user user 0 2008-12-17 21:58 /home/user/new file 2
drwx------ 2 user user 4096 2008-12-17 21:40 /home/user/untitled folder
drwx------ 2 user user 4096 2008-12-17 21:58 /home/user/untitled folder 1
linux:/home/user#

Which umask value do I need to get all further new users accounts to be created with the same permissions and all new files and folders to be created with the same permissions?
 
Old 12-18-2008, 07:26 AM   #25
kaz2100
Senior Member
 
Registered: Apr 2005
Location: Penguin land, with apple, no gates
Distribution: Debian testing woody(32) sarge etch lenny squeeze(+64) wheezy jessie
Posts: 1,455

Rep: Reputation: 84
Hya,

It is not my intention, if anybody thinks I am hijacking.

The original post mentions also. How to take care of files under /tmp? Most of the programs are careful enough, but not all. Also, the names there may be indicative of something.

Happy Penguins!
 
Old 12-18-2008, 07:44 AM   #26
mashcaster
Member
 
Registered: Dec 2008
Posts: 67

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by kaz2100 View Post
Hya,

It is not my intention, if anybody thinks I am hijacking.

The original post mentions also. How to take care of files under /tmp? Most of the programs are careful enough, but not all. Also, the names there may be indicative of something.

Happy Penguins!
I think I have "almost" figured it out...
 
Old 12-18-2008, 11:43 AM   #27
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
Quote:
Originally Posted by mashcaster View Post
I think

chmod -R 0700 /home/

is better. It gives me

linux:/home/user# ls -ld /home/*
drwx------ 12 user user 4096 2008-12-17 21:42 /home/user
drwx------ 2 user2 user2 4096 2008-12-17 21:35 /home/user2
drwx------ 2 user3 user3 4096 2008-12-17 21:36 /home/user3
drwx------ 2 user4 user4 4096 2008-12-17 21:44 /home/user4
drwx------ 2 user5 user5 4096 2008-12-17 21:48 /home/user5
linux:/home/user# ls -ld /home/user/*
drwx------ 2 user user 4096 2008-12-17 21:34 /home/user/Desktop
-rwx------ 1 user user 0 2008-12-17 21:41 /home/user/new file
-rwx------ 1 user user 0 2008-12-17 21:42 /home/user/new file 1
-rwx------ 1 user user 0 2008-12-17 21:58 /home/user/new file 2
drwx------ 2 user user 4096 2008-12-17 21:40 /home/user/untitled folder
drwx------ 2 user user 4096 2008-12-17 21:58 /home/user/untitled folder 1
linux:/home/user#
You don't actually want files to be -rwx------ you want them to be -rw------- otherwise they'll act as scripts that attempt to execute when you type ./new file

If the actual /home directory itself is 700 your users won't be able to access their own home directories. You also don't want to set execute bit on things that don't need it... so doing a recursive chmod may not be the best idea. Let me demonstrate:

Code:
here:/home# ls -al
total 60
drwx--x--x 15 root     root     4096 2008-12-07 17:51 .
drwxr-xr-x 23 root     root     4096 2008-11-05 14:37 ..
drwx------  3 user1    user1    4096 2008-12-17 14:18 user1
drwx------  3 user2    user2    4096 2008-12-02 14:53 user2
drwx------  3 user3    user3    4096 2008-12-09 13:50 user3
here:/home# su - user1
user1@here:~$ pwd
/home/user1
user1@here:~$ exit
here:/home# chmod 700 /home
here:/home# ls -ald
drwx------ 15 root root 4096 2008-12-07 17:51 .
here:/home# su - user1
No directory, logging in with HOME=/
user1@here:/$ pwd
/
user1@here:/$ exit
Understand? If you deny the users the ability to change their working directory to /home you deny them the ability to be in any of the sub directories also... eg: their home directory.

Quote:
Originally Posted by mashcaster View Post
Which umask value do I need to get all further new users accounts to be created with the same permissions and all new files and folders to be created with the same permissions?
umask 077 is the permissions you want, it defaults permissions to equiv chmod perms of 700 for directories and 600 for files.

Directories (700):
rwx for owner,
nothing for group,
nothing for everyone else.

Files (600):
rw for owner
nothing for group,
nothing for everyone else.

The short version:
Set a system wide umask in /etc/login.defs /etc/profile /etc/bash.bashrc or whatever your system supports. I would suggest also setting it in roots .bashrc or whatever rc file is used for your login shell. I would say your current default is set to 066 based on the home directories, but it should be 077. Then to fix your existing permissions ...

chmod 711 /home
chmod 700 /home/user1 /home/user2 /home/user3 /home/user4 /home/user5

As long as the umask is in your system profile then all newly created users will be made with 700 directories and 600 files. Recursive chmod can be problematic... be very very careful with anything recursive.

Personally, I prefer being able to select more accurately the files I want when chmoding recursively than chmod itself will allow, so typically I do something like this if I need a recursive change...

find /home/user1 -type d -exec chmod 700 {} \;
find /home/user1 -type f -exec chmod 600 {} \;

Last edited by rweaver; 12-18-2008 at 11:45 AM.
 
Old 12-18-2008, 11:52 AM   #28
mashcaster
Member
 
Registered: Dec 2008
Posts: 67

Original Poster
Rep: Reputation: 15
I've changed umash to 077 in many files, but it is still being overwritten by the default 022. I can't figure out which file is doing the overwriting.
 
Old 12-18-2008, 11:53 AM   #29
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
Quote:
Originally Posted by kaz2100 View Post
Hya,

It is not my intention, if anybody thinks I am hijacking.

The original post mentions also. How to take care of files under /tmp? Most of the programs are careful enough, but not all. Also, the names there may be indicative of something.

Happy Penguins!
It really depends on how behaved the programs you're running are going to be. Setting the umask system wide is a good start. Many programs also support letting you set the tmp directory somewhere else which is useful (~/tmp for example.) You kinda have to judge it on a case by case basis since some programs totally ignore umask and create files accessible by anyone and everyone in /tmp (and there are a few programs that require files to be wide open and there's not a lot you can do about it.) If they're not being very behaved then you may have to run a script that watches the directory and sets the correct permissions for specific things.

Shrug.
 
Old 12-18-2008, 11:56 AM   #30
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
Quote:
Originally Posted by mashcaster View Post
I've changed umash to 077 in many files, but it is still being overwritten by the default 022. I can't figure out which file is doing the overwriting.
Try this:

Code:
cd /etc
grep -i "umask" *
cd
grep -i "umask" ~/.*
That should show you the locations where umask is being set. Don't forget to logout and back in after making the changes so they take effect (or source your .bashrc file if a change is made there.)

Might also want to make changes to umask in /etc/skel/.* files also if any of them are setting it (so newly created users get the correct umask set by default.)

This thread is also going on over on the Debian boards, there's some relevant info there that hasn't been posted here yet. http://forums.debian.net/viewtopic.php?p=195859

Last edited by rweaver; 12-18-2008 at 02:19 PM. Reason: skel, debian forums
 
  


Reply

Tags
chmod, exec, find, permissions, umask


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
user accounts rmorgan Linux - Server 0 10-31-2006 11:40 AM
LXer: Linux 101: Manage user accounts in a multi-user Linux environment ... LXer Syndicated Linux News 0 06-27-2006 08:03 AM
User Accounts Verbal Kint Linux - Security 12 06-18-2005 01:11 AM
User Accounts Kemik Linux - Newbie 13 01-12-2005 05:24 PM
User Accounts kaplan71 Linux - General 1 07-08-2004 02:19 PM


All times are GMT -5. The time now is 03:00 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration