|
How do I *automatically* set alternative default folder permissions in Ubuntu?
Hi,
I'm an OSX user desperate to move to Ubuntu but the default folder permissions distress me greatly :-) OSX sets the default folder structure up like this: (Correct me someone if I'm wrong...) 'Home', which is world readable. Inside Home I have Desktop Documents Library Movies Music Pictures Public /Dropbox Sites All the folders inside 'Home' are locked to anyone except me, other than 'Public' which is read/write for anyone and 'Dropbox which is 'write only' for anyone. 'Sites' is the Apache folder. This setup seems sensible to me. It's secure and private. Ubuntu sets things up so that *everything* in the 'Home' folder is world-readable. This to me is not so clever. Be that as it may. I _really_ don't want to argue the point but I'm desperate to find a way so that any new user I create on the box gets an OSX-like permissions setup. Can you help me? I'm a bit of a Ubuntu evangelist and don't want a prospective Windows convert to think I'm nuts for recommending an OS which has such odd defaults. Is there a way? So far I have gleaned that I can create a folder/permission structure in /etc/skel which then becomes the default for a new user. I can also change the default permissions for directories in /etc/adduser.conf The problems I am having are: 1) I can't set the 'write only' permissions to the 'Dropbox'. 2) I can't set the permissions so that the Home folder is accessible but some folders within it are not. The solution seems to lie with activating Access Control Lists but I fall at the first hurdle which is to always mount the relevant partition with ACL active. Then I should be able to use: http://rofi.roger-ferrer.org/eiciel/ Any help appreciated :-) (As an aside... Do all Linux Distros have these (what I would call...) odd default permissions?) Slow. |
How strange that I never noticed that....
For the group permissions that is nothing bad, because the default group is same as user id which is your personal group - but the world readable is indeed odd! |
Since you didn't say how you are creating users I'm not sure if this will apply.
Anyway assuming you are using the standard adduser command (at least it is standard on Debian), you can set this in /etc/adduser.conf. You need to modify the variable called "DIR_MODE". Setting it to 700 should work. Code:
man adduser.confUGGG, I really should read the *full* post before replying :-/ Cheers, Evo2. |
If you're really concerned about security, I would go with the DIR_MODE = 700 and then create any publicly available folders outside you home directory (I'm guessing this is what is actually going on in Mac OS). You can always symlink to them inside your home folder.
Once your directory is 700, it doesn't really matter what the perms are for the items within it. Linux defaults are 755 for directories and 644 for files, which should be fine. If they are within your 700 home, then you're good. I wouldn't worry too much about acl for now... it'll just make things overly complicated. So for example if you want the dropbox write only, and say it's in /somewhere/MyDropbox, then i believe you should set it 733. |
I asked our Linux specialist in the company I am working for and he told me that services are mostly running using their own user accounts. For interoperability reasons the default might be the world readable to make sure services can access data. - But he was either not very sure.
So I only wonder if all the applications continue to work fine if I set the permissions to 700. Anyone here with experiences after changing the permissions accordingly? |
Quote:
I'm sure the vast majority of users don't know about these defaults and would be horrified if they did. I know I was... S |
Quote:
I'm using the regular Nautilus GUI tool to add a user. My concern with using DIR_MODE set to 700 is that it kills sharing very effectively. S |
Quote:
|
mattydee,
Quote:
The problem I have is that if I install Ubuntu on a Newb's computer (Even more of a Newb than myself!) It's quite a big ask to get them to do this for themselves and for each member of their family as they create new accounts, and then set appropriate permissions. The situation is made worse by the fact that Ubuntu has default directories named 'Public'. Logically this would infer that all other directories are 'other than Public', that is to say 'Private'. Infact all directories are 'Public'. (This is from memory, correct me if I'm wrong. I don't have my Linux box fired up just now...) Quote:
Quote:
Quote:
Quote:
At the moment my solution is to stop recommending Linux and this makes me pretty miserable. Quote:
Is there really no workable solution using ACL? I'm happy to do the initial (Moderately tricky) setup but after that I need everything to happen automagically. Is http://rofi.roger-ferrer.org/eiciel/ not going to work for me? My plan was to create the 'Proper' permissions in /etc/skel using Eiciel and then have the setup replicated whenever a new account was created. *Seemed* like a workable solution :-) Slow |
Quote:
Perhaps you have the historical reason right there. Perhaps things would have to be substantially re-engineered to get 'Proper' permissions set. I have been told that the reason is that historically Unix placed more emphasis on users on the box being able to collaborate than security between accounts. It was assumed that the environment was safe and that users were sufficiently savvy to set permissions on a directory they *didn't* want to share. Personally I think this is directly opposite to what a modern-day user expects. With the current permissions in Ubuntu, I can't see the point in having user accounts at all, other than to customise the environment. I think it's really weird... S |
Quote:
There are many things that Ubuntu does that I consider weird, but to me this one seems pretty normal. Evo2. |
Quote:
I think your /etc/skel plan is a reasonable one. So just to be clear: You want to use skel to setup the basic directory structure and then use acl's on the /home/user folder to make sure that all files and directories subsequently get created with the proper perms? I don't have any experience working with /etc/skel so can't help you there. But it seems to me that you may have to modify the adduser script using acl commands (eg, setfacl -d -m o::000 /home/$USERNAME or something like that). With this approach, you would just have to setup the /etc/skel with the directories and permissions you want, and then use the above command as the last step in the adduser process and you'd be done. New files/directories in the home folder would be created with 640 and 750. This is all theoretical off course. I haven't tested any of this. :) edit: oh ya, and you would of course leave your /home/username folder to 755 (or similar) so that others could access whatever folder you DO want to share in your home. |
I believe all you really need to do is edit /etc/profile (or ~/.profile for individual users) and change "umask 022" to "umask 077" or to whatever value necessary for your needs. (This will not change any existing files, only set default permissions for files created subsequent to the change)
The umask value is a reverse mask of the desired default file creation permissions, i.e. use the permission values that you want to EXCLUDE from a new file, not the values you would hope to see in a ls -l listing. Using umask 077 gives newly created files default permissions of rw------- and directories rwx------ (Making a file executable still must be done manually) |
Quote:
|
Unfortunately this is kinda how the default security system works in Linux. Each user is only allowed to see there files unless you change the umask of course. You could create a parttion using the fat32 file system and mount it as a public drive that would allow anyone to have access to files put in there. This is however not a very good solution I would look into ACL maybe some other options like group permissions where all the users belong to a group and have access to each others files via that method.
|
| All times are GMT -5. The time now is 03:08 AM. |