LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
LinkBack Search this Thread
Old 06-01-2006, 12:50 AM   #1
onedingo
Member
 
Registered: Jan 2006
Location: Pittsburgh, PA, US
Distribution: Arch
Posts: 69

Rep: Reputation: 19
Any issues with chmod 700 on /home/{* user}?


I'm using Slackware 10.2 which is creating new users home directories chmod 711. While this prevents ls'ing in another users directory, I can read most known files as any user.

For example:
less /home/{user}/.bash_history (as a side note, I just tried to tab complete /h{TAB} while typing this post - LOL)
Firefox & Thunderbird would probably be good candidates also.

Would any applications have problems if I locked the dirs up to 700?

Last edited by onedingo; 06-07-2006 at 08:38 PM.
 
Old 06-01-2006, 02:42 AM   #2
drkstr
Senior Member
 
Registered: Feb 2006
Location: Seattle, WA: USA
Distribution: Slackware 11.0
Posts: 1,191

Rep: Reputation: 45
Nope, if you are running the app as userjoe then that app will have all the permissions userjoe has (in this case rwx). That's not a bad idea at all, you should not have any files in the home directory you plan on sharing to other users anyways.

regards,
...drkstr
 
Old 06-07-2006, 05:01 PM   #3
Bruce Hill
HCL Maintainer
 
Registered: Jun 2003
Location: Tupelo, MS
Distribution: Gentoo
Posts: 6,926

Rep: Reputation: 124Reputation: 124
It appears that you've got something setup incorrectly in your Slackware system.

By default Slackware-10.2 sets users /home directories 711, and users therefore cannot read each other's files. If yours can, then you've changed something else (perhaps in /etc/group).

As for your tab completion, if you enter "less /h(tab)" it is going to autocomplete "less /home/" in a default Slackware system. It will also complete another users name, but not any filenames below that directory.

Examples:
Code:
mingdao@paul:~$ less /home/bruce/
That's as far as user mingdao can autocomplete on user bruce. The system will NOT even ls the directory as it would for user mingdao.
Code:
mingdao@paul:~$ less /home/bruce/.bash_history
/home/bruce/.bash_history: Permission denied
mingdao@paul:~$
The system will NOT let user mingdao view any of user bruce's files ... period.
Code:
mingdao@paul:~$ su bruce
Password:
bruce@paul:/home/mingdao$ cd
bruce@paul:~$ less /home/mingdao/.bash_history
/home/mingdao/.bash_history: Permission denied
bruce@paul:~$
Same with user bruce trying to look at user mingdao's files.

From "man chmod"
Code:
       A  numeric  mode  is from one to four octal digits (0-7), derived by adding up the
       bits with values 4, 2, and 1.  Any omitted digits are assumed to be leading zeros.
       The  first  digit  selects  the set user ID (4) and set group ID (2) and save text
       image [`sticky'] (1) attributes.  The second digit  selects  permissions  for  the
       user  who  owns  the file: read (4), write (2), and execute (1); the third selects
       permissions for other users in the file's group, with the  same  values;  and  the
       fourth for other users not in the file's group, with the same values.
I suspect you've changed something from the default Slackware setup...
 
Old 06-07-2006, 06:38 PM   #4
onedingo
Member
 
Registered: Jan 2006
Location: Pittsburgh, PA, US
Distribution: Arch
Posts: 69

Original Poster
Rep: Reputation: 19
When I said /h{tab}, I meant I did this in the forum's text form entry box.

.bash_history may be a bad example, as it is usually 600. If a user rm's it and then creates a new one, it will default to 755 depending on umask. That really doesn't clear their history anyway as it is written on logout.

Do this:
user-a$ cd
user-a$ cat test > test.txt
Logout user-a & login user-b
user-b$ cat /home/user-a/test.txt

By default, Slackware's permissions should allow the file to be read.
 
Old 06-07-2006, 07:41 PM   #5
Bruce Hill
HCL Maintainer
 
Registered: Jun 2003
Location: Tupelo, MS
Distribution: Gentoo
Posts: 6,926

Rep: Reputation: 124Reputation: 124
Evidence:
Here it is, mate:
Code:
mingdao@silas:~$ cat test > test.txt
cat: test: No such file or directory
mingdao@silas:~$ vi test
mingdao@silas:~$ cat test > test.txt
mingdao@silas:~$ su bruce
Password:
bruce@silas:/home/mingdao$ cat test.txt
Rob's example...
bruce@silas:/home/mingdao$ ls -lh
ls: .: Permission denied
bruce@silas:/home/mingdao$ exit
mingdao@silas:~$ ls -lh /home/bruce/
/bin/ls: /home/bruce/: Permission denied
mingdao@silas:~$
I stand corrected, as I didn't read your post well enough.
So if the other user knows the filename he can read it.
But if not, it's a moot point, as you can't "ls" another user.

Some other interesting asides...

Firefox will not allow you to cd to another user's directory,
using the menu File > Open File... (or Ctrl+O).
Entered in the Firefox address bar:
file:///home/bruce/test.txt
returns this result:
Code:
Firefox can't find the file at /home/bruce/test.txt.
Firefox can't read even known files.

Code:
mingdao@silas:~$ su bruce
Password:
bruce@silas:/home/mingdao$ cat test
Rob's example w/out ext...
bruce@silas:/home/mingdao$ rm test
rm: remove write-protected regular file `test'? yes
rm: cannot remove `test': Permission denied
bruce@silas:/home/mingdao$ vi test
Rob's example w/out ext...
~
~
~
Read test [READONLY], 1 lines, 27 chars                                            1,1   Command
I don't think it's a security issue, or problem, but how Slackware is designed. You can read other user's files if you know their names and path (more than just the filename), but you cannot change them; because they're created 644.


In response to your original question, I don't know as I've never done that. Just chmod it and try.

But wouldn't it be easier to chmod an individual file that you didn't want another user to read?

Or if it's top-secret material you can encrypt it with "gpg -r <recipient> -e <file>" and only that recipient can read it ... provided you're good enough creating the passwd.

How many different people (not users) use that box?

If you're the only user, this question is as the Chinese say "er bai wu." If there are other people using the box, perhaps a little creativity would prevent even the necessity of chmod'ing?

Where I live, because of the work I do, we use GnuPG for anything that we don't want someone else to read. There are a myriad of files, however, than even you are welcome to read.
 
Old 06-07-2006, 08:15 PM   #6
onedingo
Member
 
Registered: Jan 2006
Location: Pittsburgh, PA, US
Distribution: Arch
Posts: 69

Original Poster
Rep: Reputation: 19
Let's think of this:

A user of the system needs remote access (SSH) but does a lousy job of picking/protecting passwords. Somehow their account is compromised and an attacker gains user access. It would not be hard to read some other users known files such as: (and I'm doing this from memory and a WinXP machine as I don't have Linux available right now):

/home/user-a/.thunderbird/profiles.ini // This will give you the info to defeat the "random" directory
/home/user-a/.thunderbird/Profiles/XXXXXXX.XXX/Mail/Local Folders/Inbox
/home/user-a/.thunderbird/Profiles/XXXXXXX.XXX/abook.mab

Of course, all this is unlikely but possible.
 
Old 06-07-2006, 08:24 PM   #7
drkstr
Senior Member
 
Registered: Feb 2006
Location: Seattle, WA: USA
Distribution: Slackware 11.0
Posts: 1,191

Rep: Reputation: 45
which is why those folder gets 700 by default ...at least on my system it does. Is this different on yours?

regards,
...drkstr
 
Old 06-07-2006, 08:46 PM   #8
onedingo
Member
 
Registered: Jan 2006
Location: Pittsburgh, PA, US
Distribution: Arch
Posts: 69

Original Poster
Rep: Reputation: 19
Yep. 711. Read first post.

*EDIT* oops! I thought you meant the home dirs, not the thunderbird ones. Mine must of got screwed up after transfering from a Windows machine.

Last edited by onedingo; 06-07-2006 at 09:30 PM.
 
Old 06-07-2006, 08:48 PM   #9
Bruce Hill
HCL Maintainer
 
Registered: Jun 2003
Location: Tupelo, MS
Distribution: Gentoo
Posts: 6,926

Rep: Reputation: 124Reputation: 124
Quote:
Originally Posted by onedingo
Let's think of this:

A user of the system needs remote access (SSH) but does a lousy job of picking/protecting passwords. Somehow their account is compromised and an attacker gains user access. It would not be hard to read some other users known files such as: (and I'm doing this from memory and a WinXP machine as I don't have Linux available right now):

/home/user-a/.thunderbird/profiles.ini // This will give you the info to defeat the "random" directory
/home/user-a/.thunderbird/Profiles/XXXXXXX.XXX/Mail/Local Folders/Inbox
/home/user-a/.thunderbird/Profiles/XXXXXXX.XXX/abook.mab

Of course, all this is unlikely but possible.
How would an attacker take over an SSH session? One of us doesn't properly understand SSH...

So, assuming (but how would he?) a cracker "took over an ssh session" -- then...
Code:
mingdao@silas:~$ less /home/bruce/.thunderbird/profiles.ini
mingdao@silas:~$ less /home/bruce/.thunderbird/<munged>.default/Mail/Local\ Folders/Inbox
/home/bruce/.thunderbird/<munged>.default/Mail/Local Folders/Inbox: Permission denied
As dkstr told you:
Code:
mingdao@silas:~$ ls -alh /home/mingdao/.thunderbird/
total 18K
drwxr-xr-x  3 mingdao users  136 2006-04-11 21:44 ./
drwx--x--x 60 mingdao users 9.3K 2006-06-08 08:15 ../
-rw-r--r--  1 mingdao users  335 2006-04-11 21:44 appreg
-rw-r--r--  1 mingdao users   94 2006-04-11 21:44 profiles.ini
drwx------  7 mingdao users 1.1K 2006-06-07 11:50 <munged>.default/
Nope ... 700 --check again.

P.S. You wouldn't cat mine --
/home/mingdao/.thunderbird/<munged>.default/Mail/Local\ Folders/Inbox lines 1-26/2579005 0%
-- you'd lock up your cracker box.

Case closed...
 
  


Reply

Tags
chmod, home, permissions, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to retrieve original chmod of my home directory? jogurt666 Linux - General 3 06-07-2006 08:36 PM
vsftpd - new directories are chmod:ed 700 samel_tvom Linux - Software 2 05-23-2005 11:27 AM
Access to /home/user and https issues adamrg Mandriva 3 03-13-2005 03:45 PM
Chmod = no access to home folder! DeathPrawn Linux - Newbie 4 02-12-2005 11:50 AM
box lockout after chmod 700 takisd Linux - General 21 12-03-2003 01:32 AM


All times are GMT -5. The time now is 04:56 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration