I am exercising my mind over user permissions, as I may have to lend my laptop shortly.

Slackware has all files 0644 and all directories 0755. So all /home/ directories can be read and accessed by any other user. Issues start if I tighten permissions on my homedir - notably 'startx' pukes badly. While not having porn, I do have restricted information in my homedir and rely on the fact that I am the only user on my box.

Can I tighten homedir permissions, and to what extent?

I don't have slackware but I set the home directories to be most restrictive 0700. And startx works fine.

1 members found this post helpful.

I read this thread and noticed that Debian seems to do the same (I'm guessing the derivatives do also). So I'm interested myself as, at some point, I may share one of my computers with another human. As a quick fix I would just chmod the "sensitive" directories.
By the way, I understand this completely and realise it's not about "hiding" things just about not exposing everything all the time.

This should be encrypted, that's the only real way to keep it secure.

POSIX ACLs afford no protection if they'll have physical access to the machine.

--mancha

So it does, and thank you kindly. 0700 was one number I hadn't tried.

I take the point about encryption, but I'm not having to deal with hackers, just guys without security clearance to see certain stuff. They don't know linux at a console level and will not have root.

They have physical access, and I hadn't thought about POSIX ACLs. Nearly everything I am familiar with in Posix doesn't work fully or isn't implemented or different on every machine (e.g. regexes), and I would not have been thinking that way. Why don't they deprecate _that_ stuff instead of the things I know my way around?

When mancha wrote...

I don't believe he was zeroing in on ACLs (POSIX compliant or not), but rather pointing out that file & directory permissions of a file system won't protect data if one has physical access to the computer.

For example, boot the machine from a CD or flash drive then as root mount the storage devices (hard disk) copy any data you want.


EDIT: Maybe I shouldn't have brushed away the "POSIX" aspect so quickly in my comment. Are there file systems out there that allow you to set up access control lists that include encryption control as part of the access control list?

I've a feeling that encryption may not really be required in this set-up? Of course if there is some transparent encryption available then I'm sure that will work fine?

Anything that requires security clearance to see requires encryption. As said above, having physical access to the machine means that virtually all other methods can be bypassed.

I would say it is definitely required. I recommend cryptsetup as it is very flexible.

Yes, encryption makes sense.
But it is a PITA to set up, and at the moment I just do not have time. These guys will only have the use of my pc to show a presentation, while surrounded by others who would not approve of them snooping/hacking.

Then another way would be to put the presentation on an USB stick and use another computer to display it.

Ok. You need the explanation.

On April 25th/26th, we have a multimedia event streamed from London to be viewed by speakers of English,Portuguese, Chinese, & Romanian. The event is in English; Our equipment allows translating for the smallish Chinese group; For the larger Romanian & Portuguese, they want a Portuguese/Romanian simultaneous translation in our main hall but the interpreter needs headphones with English to translate, and in one case, they need English in our second room as well. I have arranged the hardware, but it requires HDMI with the sound on the earphone jack. I have yet to find out if this is possible in windows. I am getting very blank looks from guys running windows pcs so far. We are having six showings of the program in the weekend. They may have to use my pc.

So, no usb stick; Chemfire kindly posted me an asoundrc for hdmi which resamples the sound, and inserting/removing this switches sound crudely, via a script.. I do not want to make a software project out of this - I do have a life.

Well, if you are watching them while they use your computer then just set the permissions as said above and that should be enough. I thought you were going to let them use it for an extended period unsupervised.

Just to clarify, this was what I was envisioning. I agree with you for recommending encryption as you are correct that it is the only way to prevent those with physical access from accessing data. However, I also realise that sometimes simplicity does well.
However, and this is a more important one: I seriously suggest, business_kid, that you encrypt your home partition with the likes of LUKS anyhow since anybody stealing that laptop would steal your data. This thread just reminded me I must check what I have stored on my laptop as I have some data (photocopy of passport and similar) I simply should not have on it -- I don't store it on my desktop since I don't encrypt my home drive or data drive.

1 members found this post helpful.

I agree that encryption would still be recommended on a laptop.

For pdf documents, you can actually encrypt them as is with AES-256 on Linux. I recommend:
http://sourceforge.net/projects/qpdf/?source=navbar

2 members found this post helpful.