Any issues with chmod 700 on /home/{* user}?

onedingo · 06-01-2006, 12:50 AM

I'm using Slackware 10.2 which is creating new users home directories chmod 711. While this prevents ls'ing in another users directory, I can read most known files as any user.

For example:
less /home/{user}/.bash_history (as a side note, I just tried to tab complete /h{TAB} while typing this post - LOL)
Firefox & Thunderbird would probably be good candidates also.

Would any applications have problems if I locked the dirs up to 700?

drkstr · 06-01-2006, 02:42 AM

Nope, if you are running the app as userjoe then that app will have all the permissions userjoe has (in this case rwx). That's not a bad idea at all, you should not have any files in the home directory you plan on sharing to other users anyways.

regards,
...drkstr

Bruce Hill · 06-07-2006, 05:01 PM

It appears that you've got something setup incorrectly in your Slackware system.

By default Slackware-10.2 sets users /home directories 711, and users therefore cannot read each other's files. If yours can, then you've changed something else (perhaps in /etc/group).

As for your tab completion, if you enter "less /h(tab)" it is going to autocomplete "less /home/" in a default Slackware system. It will also complete another users name, but not any filenames below that directory.

Examples:

Code:

mingdao@paul:~$ less /home/bruce/

That's as far as user mingdao can autocomplete on user bruce. The system will NOT even ls the directory as it would for user mingdao.

Code:

mingdao@paul:~$ less /home/bruce/.bash_history
/home/bruce/.bash_history: Permission denied
mingdao@paul:~$

The system will NOT let user mingdao view any of user bruce's files ... period.

Code:

mingdao@paul:~$ su bruce
Password:
bruce@paul:/home/mingdao$ cd
bruce@paul:~$ less /home/mingdao/.bash_history
/home/mingdao/.bash_history: Permission denied
bruce@paul:~$

Same with user bruce trying to look at user mingdao's files.

From "man chmod"

Code:

       A  numeric  mode  is from one to four octal digits (0-7), derived by adding up the
       bits with values 4, 2, and 1.  Any omitted digits are assumed to be leading zeros.
       The  first  digit  selects  the set user ID (4) and set group ID (2) and save text
       image [`sticky'] (1) attributes.  The second digit  selects  permissions  for  the
       user  who  owns  the file: read (4), write (2), and execute (1); the third selects
       permissions for other users in the file's group, with the  same  values;  and  the
       fourth for other users not in the file's group, with the same values.

I suspect you've changed something from the default Slackware setup...

onedingo · 06-07-2006, 06:38 PM

When I said /h{tab}, I meant I did this in the forum's text form entry box.

.bash_history may be a bad example, as it is usually 600. If a user rm's it and then creates a new one, it will default to 755 depending on umask. That really doesn't clear their history anyway as it is written on logout.

Do this:
user-a$ cd
user-a$ cat test > test.txt
Logout user-a & login user-b
user-b$ cat /home/user-a/test.txt

By default, Slackware's permissions should allow the file to be read.

Bruce Hill · 06-07-2006, 07:41 PM

Evidence:
Here it is, mate:

Code:

mingdao@silas:~$ cat test > test.txt
cat: test: No such file or directory
mingdao@silas:~$ vi test
mingdao@silas:~$ cat test > test.txt
mingdao@silas:~$ su bruce
Password:
bruce@silas:/home/mingdao$ cat test.txt
Rob's example...
bruce@silas:/home/mingdao$ ls -lh
ls: .: Permission denied
bruce@silas:/home/mingdao$ exit
mingdao@silas:~$ ls -lh /home/bruce/
/bin/ls: /home/bruce/: Permission denied
mingdao@silas:~$

I stand corrected, as I didn't read your post well enough.
So if the other user knows the filename he can read it.
But if not, it's a moot point, as you can't "ls" another user.

Some other interesting asides...

Firefox will not allow you to cd to another user's directory,
using the menu File > Open File... (or Ctrl+O).
Entered in the Firefox address bar:
file:///home/bruce/test.txt
returns this result:

Code:

Firefox can't find the file at /home/bruce/test.txt.

Firefox can't read even known files.

Code:

mingdao@silas:~$ su bruce
Password:
bruce@silas:/home/mingdao$ cat test
Rob's example w/out ext...
bruce@silas:/home/mingdao$ rm test
rm: remove write-protected regular file `test'? yes
rm: cannot remove `test': Permission denied
bruce@silas:/home/mingdao$ vi test
Rob's example w/out ext...
~
~
~
Read test [READONLY], 1 lines, 27 chars                                            1,1   Command

I don't think it's a security issue, or problem, but how Slackware is designed. You can read other user's files if you know their names and path (more than just the filename), but you cannot change them; because they're created 644.

In response to your original question, I don't know as I've never done that. Just chmod it and try.

But wouldn't it be easier to chmod an individual file that you didn't want another user to read?

Or if it's top-secret material you can encrypt it with "gpg -r <recipient> -e <file>" and only that recipient can read it ... provided you're good enough creating the passwd.

How many different people (not users) use that box?

If you're the only user, this question is as the Chinese say "er bai wu." If there are other people using the box, perhaps a little creativity would prevent even the necessity of chmod'ing?

Where I live, because of the work I do, we use GnuPG for anything that we don't want someone else to read. There are a myriad of files, however, than even you are welcome to read.

onedingo · 06-07-2006, 08:15 PM

Let's think of this:

A user of the system needs remote access (SSH) but does a lousy job of picking/protecting passwords. Somehow their account is compromised and an attacker gains user access. It would not be hard to read some other users known files such as: (and I'm doing this from memory and a WinXP machine as I don't have Linux available right now):

/home/user-a/.thunderbird/profiles.ini // This will give you the info to defeat the "random" directory
/home/user-a/.thunderbird/Profiles/XXXXXXX.XXX/Mail/Local Folders/Inbox
/home/user-a/.thunderbird/Profiles/XXXXXXX.XXX/abook.mab

Of course, all this is unlikely but possible.

drkstr · 06-07-2006, 08:24 PM

which is why those folder gets 700 by default ...at least on my system it does. Is this different on yours?

regards,
...drkstr

onedingo · 06-07-2006, 08:46 PM

Yep. 711. Read first post.

*EDIT* oops! I thought you meant the home dirs, not the thunderbird ones. Mine must of got screwed up after transfering from a Windows machine.

Bruce Hill · 06-07-2006, 08:48 PM

Quote:

Originally Posted by onedingo

Let's think of this:

A user of the system needs remote access (SSH) but does a lousy job of picking/protecting passwords. Somehow their account is compromised and an attacker gains user access. It would not be hard to read some other users known files such as: (and I'm doing this from memory and a WinXP machine as I don't have Linux available right now):

/home/user-a/.thunderbird/profiles.ini // This will give you the info to defeat the "random" directory
/home/user-a/.thunderbird/Profiles/XXXXXXX.XXX/Mail/Local Folders/Inbox
/home/user-a/.thunderbird/Profiles/XXXXXXX.XXX/abook.mab

Of course, all this is unlikely but possible.

How would an attacker take over an SSH session? One of us doesn't properly understand SSH...

So, assuming (but how would he?) a cracker "took over an ssh session" -- then...

Code:

mingdao@silas:~$ less /home/bruce/.thunderbird/profiles.ini
mingdao@silas:~$ less /home/bruce/.thunderbird/<munged>.default/Mail/Local\ Folders/Inbox
/home/bruce/.thunderbird/<munged>.default/Mail/Local Folders/Inbox: Permission denied

As dkstr told you:

Code:

mingdao@silas:~$ ls -alh /home/mingdao/.thunderbird/
total 18K
drwxr-xr-x  3 mingdao users  136 2006-04-11 21:44 ./
drwx--x--x 60 mingdao users 9.3K 2006-06-08 08:15 ../
-rw-r--r--  1 mingdao users  335 2006-04-11 21:44 appreg
-rw-r--r--  1 mingdao users   94 2006-04-11 21:44 profiles.ini
drwx------  7 mingdao users 1.1K 2006-06-07 11:50 <munged>.default/

Nope ... 700 --check again.

P.S. You wouldn't cat mine --
/home/mingdao/.thunderbird/<munged>.default/Mail/Local\ Folders/Inbox lines 1-26/2579005 0%
-- you'd lock up your cracker box.

Case closed...