LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian
User Name
Password
Debian This forum is for the discussion of Debian Linux.

Notices


Reply
  Search this Thread
Old 06-23-2008, 10:02 AM   #1
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Arch
Posts: 2,905

Rep: Reputation: 77
World Readable Home Directories


I just did a fresh install of Debian 64 (Etch) and am building a new email server for my company however I plan to use Maildir style mailboxes under /home and realized that Debian unlike other distributions creates /home as 755 rather than 700. Is there a reason for this? I would think that the /home/$user is the one place you don't want anyone but the owner to access.

Is there a simple way to change this?
 
Old 06-23-2008, 11:05 AM   #2
farslayer
LQ Guru
 
Registered: Oct 2005
Location: Northeast Ohio
Distribution: linuxdebian
Posts: 7,243
Blog Entries: 5

Rep: Reputation: 190Reputation: 190
personally I don't allow the user accounts to have login rights to the mail server, I set them all to /sbin/nologin. They can access their mail just fine with pop3 or imap without the need to login directly to the server.


I think you would have to alter the value of umask in roots .bashrc file so the directories are created by default with 700..
 
Old 06-23-2008, 11:22 AM   #3
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 56
dpkg-reconfigure adduser
This will only work for newly created users.

I'm using testing, not sure it was there already in etch.
 
Old 06-23-2008, 11:25 AM   #4
farslayer
LQ Guru
 
Registered: Oct 2005
Location: Northeast Ohio
Distribution: linuxdebian
Posts: 7,243
Blog Entries: 5

Rep: Reputation: 190Reputation: 190
That's a MUCH better solution than my thoughts on umask.

It is available on etch as well..

Last edited by farslayer; 06-23-2008 at 11:26 AM.
 
Old 06-23-2008, 01:43 PM   #5
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Arch
Posts: 2,905

Original Poster
Rep: Reputation: 77
Quote:
Originally Posted by nx5000 View Post
dpkg-reconfigure adduser
This will only work for newly created users.

I'm using testing, not sure it was there already in etch.
OK - this looks to be what I was looking for. Is there some logic behind this? I too have all my users set to /bin/false on my email server but I still don't understand why Debian does this. It makes no sense to me to have anyone be able to browse and read your home directory.
 
Old 06-23-2008, 03:29 PM   #6
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Arch
Posts: 2,905

Original Poster
Rep: Reputation: 77
I ran "dpkg-reconfigure adduser" and selected "no" for system wide readable home directories & then created two accounts...

Code:
email:/home# ls -l
total 8
drwxr-x--x 2 carlos users 4096 2008-06-23 15:20 carlos
drwxr-x--x 2 jason  users 4096 2008-06-23 15:27 jason
It does not appear to be working...

What am I doing wrong?
 
Old 06-24-2008, 05:16 AM   #7
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 56
Quote:
email:/home# ls -l
total 8
drwxr-x--x 2 carlos users 4096 2008-06-23 15:20 carlos
drwxr-x--x 2 jason users 4096 2008-06-23 15:27 jason

It does not appear to be working...
Hum, it is working, it's not world readable anymore :-)


Quote:
It makes no sense to me to have anyone be able to browse and read your home directory.
Indexing services, daily security checks (that do not need to run as root), web server, historical reasons. Look at the debian bug tracking system, your question has been asked years ago and is not planned to get fixed.

On my default installation, each new user gets created his group, not like on your system (users group). I think this is the default, from Unix SysV R 6 group semantics.

In your case, you need to modify manually adduser.conf and put manually 700 mode...
 
Old 06-24-2008, 06:48 AM   #8
Telemachos
Member
 
Registered: May 2007
Distribution: Debian
Posts: 754

Rep: Reputation: 59
To follow up on what nx7500 said,
Quote:
# The USERGROUPS variable can be either "yes" or "no". If "yes" each
# created user will be given their own group to use as a default. If
# "no", each created user will be placed in the group whose gid is
# USERS_GID (see below).
USERGROUPS=yes

# If USERGROUPS is "no", then USERS_GID should be the GID of the group
# `users' (or the equivalent group) on your system.
USERS_GID=100

# If DIR_MODE is set, directories will be created with the specified
# mode. Otherwise the default mode 0755 will be used.
DIR_MODE=0755
There's the bit of /etc/adduser.conf you need to change. I'm guessing you already set the first to USERGROUPS=NO, using dpkg-reconfigure. Set the last to DIR_MODE=700, and you should be fine.

Last edited by Telemachos; 06-24-2008 at 02:06 PM. Reason: Fixed typo
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
crontab and world-writable directories? wy1z Linux - Security 2 01-25-2008 02:38 AM
Is ".gz" archive file considered "World-Readable"? NightSky Linux - Newbie 4 12-06-2007 06:21 PM
home directories on server Corrado Linux - Enterprise 1 07-20-2007 10:14 AM
Apache Root/Home Directory and setting up FTP for home directories? Mankind75 Linux - Newbie 6 07-23-2006 03:37 PM
home world in linux e1000 Linux - Games 2 10-20-2003 02:27 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian

All times are GMT -5. The time now is 08:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration