LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Debian (https://www.linuxquestions.org/questions/debian-26/)
-   -   World Readable Home Directories (https://www.linuxquestions.org/questions/debian-26/world-readable-home-directories-651049/)

carlosinfl 06-23-2008 09:02 AM
World Readable Home Directories
 
I just did a fresh install of Debian 64 (Etch) and am building a new email server for my company however I plan to use Maildir style mailboxes under /home and realized that Debian unlike other distributions creates /home as 755 rather than 700. Is there a reason for this? I would think that the /home/$user is the one place you don't want anyone but the owner to access.

Is there a simple way to change this?

farslayer 06-23-2008 10:05 AM
personally I don't allow the user accounts to have login rights to the mail server, I set them all to /sbin/nologin. They can access their mail just fine with pop3 or imap without the need to login directly to the server.


I think you would have to alter the value of umask in roots .bashrc file so the directories are created by default with 700..

nx5000 06-23-2008 10:22 AM
dpkg-reconfigure adduser
This will only work for newly created users.

I'm using testing, not sure it was there already in etch.

farslayer 06-23-2008 10:25 AM
That's a MUCH better solution than my thoughts on umask.

It is available on etch as well..

carlosinfl 06-23-2008 12:43 PM
Quote:
Originally Posted by nx5000 (Post 3192693)
dpkg-reconfigure adduser
This will only work for newly created users.

I'm using testing, not sure it was there already in etch.
OK - this looks to be what I was looking for. Is there some logic behind this? I too have all my users set to /bin/false on my email server but I still don't understand why Debian does this. It makes no sense to me to have anyone be able to browse and read your home directory.

carlosinfl 06-23-2008 02:29 PM
I ran "dpkg-reconfigure adduser" and selected "no" for system wide readable home directories & then created two accounts...

Code:
email:/home# ls -l
total 8
drwxr-x--x 2 carlos users 4096 2008-06-23 15:20 carlos
drwxr-x--x 2 jason  users 4096 2008-06-23 15:27 jason
It does not appear to be working...

What am I doing wrong?

nx5000 06-24-2008 04:16 AM
Quote:
email:/home# ls -l
total 8
drwxr-x--x 2 carlos users 4096 2008-06-23 15:20 carlos
drwxr-x--x 2 jason users 4096 2008-06-23 15:27 jason

It does not appear to be working...
Hum, it is working, it's not world readable anymore :-)


Quote:
It makes no sense to me to have anyone be able to browse and read your home directory.
Indexing services, daily security checks (that do not need to run as root), web server, historical reasons. Look at the debian bug tracking system, your question has been asked years ago and is not planned to get fixed.

On my default installation, each new user gets created his group, not like on your system (users group). I think this is the default, from Unix SysV R 6 group semantics.

In your case, you need to modify manually adduser.conf and put manually 700 mode...

Telemachos 06-24-2008 05:48 AM
To follow up on what nx7500 said,
Quote:
# The USERGROUPS variable can be either "yes" or "no". If "yes" each
# created user will be given their own group to use as a default. If
# "no", each created user will be placed in the group whose gid is
# USERS_GID (see below).
USERGROUPS=yes

# If USERGROUPS is "no", then USERS_GID should be the GID of the group
# `users' (or the equivalent group) on your system.
USERS_GID=100

# If DIR_MODE is set, directories will be created with the specified
# mode. Otherwise the default mode 0755 will be used.
DIR_MODE=0755
There's the bit of /etc/adduser.conf you need to change. I'm guessing you already set the first to USERGROUPS=NO, using dpkg-reconfigure. Set the last to DIR_MODE=700, and you should be fine.


All times are GMT -5. The time now is 11:45 PM.