User Accounts
 

Now that I have password protected the bios, changed the bios settings so the PC will not boot from anything except the master hdd, padlocked the case so the bios cannot be reset by changing the jumper, changed the bios settings to alert me if the case has been tampered with, and installed debian on an encrypted file system.

How do I setup a multi user machine where each users files, folders, program settings, and temporary files are protected, hidden, and locked from the other users?

Maybe you should also lock it in a concrete vault guarded by 5 hungry dogs.....;)

Seriously, go into a terminal, su to root, and enter "adduser". The default creation of a new user will do most of what you want. I think the only thing you might need to change is the permissions. Do this in /home, using chmod -R <flags> username. This changes the permissions for the "username" directory and everything inside.

this is a default of a normal linux environment. one user would not be able to see another users /home/username/ directory.

Make sure their umask setting masks out the permissions of others. I don't know if the /tmp/kde-<username>/ directory will be private otherwise. Usa a umask command in the default /etc/profile file.

hmmm, interesting thought!

Might need to think about implementing that mission impossible environment, only without the hatch in the ceiling...

In the last distro I tried, this was not the case.

I'll have to look into this.

OpenSuSE uses the "users" group as the default group for new users. That is the first thing I fix, even though I'm the only user! It's the principle. You are still using the basic owner/group/permissions model however.

Why am I able to see the other users folder and why am I able to click through the other users folders and even open the users files?

http://img266.imageshack.us/img266/5...eenshothw0.png

What I cannot do is edit anything.

This is not good default behavior.

What are the user's permissions in /home? Look at "ls -ld /home/*".

Make sure that the group owner is unique. Make sure that the other's permissions on the directories in home don't allow any access.

You picture only shows the home directories for the two users. It doesn't show you entering them. Seeing the users home directories in /home is normal.

I did

chmod -R 0711 /home

user@debian:~$ su
Password:
debian:/home/user# ls -ld /home/*
drwx--x--x 20 user user 4096 2008-12-17 20:03 /home/user
drwx--x--x 11 user2 user2 4096 2008-12-17 19:56 /home/user2
debian:/home/user#

Is that the best way?

It may be normal, but why am I able to get into the other persons folders and open their files? That can't be normal can it?

Those permissions mean this:

d <- Directory
rwx <- Read Write eXecute for User
--x <- eXecute for Group
--x <- eXecute for Everyone

For directory purposes read means being able to list contents, write means delete and create new contents, and execute means you can make the directory your current working directory.

For file purposes read means being able to view the contents of the file, write means being able to change the contents of the file, and execute means being able to run the file (binary or script).

There are also special permissions you can set additionally, but we'll avoid those for the moment being as they're not presently relevant.

For the purposes of what you're looking to do you pretty much want any personally owned directories to be permissions 700 and shared directories (that they don't need to be able to list the contents of) to be 711. For file permissions you're pretty much looking at a unilateral 600. Things won't get real tricky till you attempt to deal with /tmp.

Try this:

chmod 700 /home/user /home/user2

Permissions for files and folders work slightly differently. If you wish to make it so users can't see the home directories you'll have to deny them the ability to get a directory listing for the /home directory or chroot them into their home directory.

chmod 711 /home

Will remove the users ability to get a directory list in /home but still be able to access content under their own directory.

Of course, if you are logged in as root or a given program is functioning as root you more or a less can do anything you please.

Putting a restrictive umask will be necessary if you want to keep things remaining relative private.

It looks like you're using umask 066, you want to use umask 077 most likely.

However, remember umask only works on newly created directories and files after it is set. You probably want to set it in the system wide profile for what you're attempting to do. Also remember this kind of security is only as good as being able to prevent the user from getting root access... if they can sudo or su to root they can circumvent all the safeguards you're putting in place completely. Make your root password *very* secure. Keep the system completely updated.

you need to set
chmod 755 /home

please post the output of ls -ltr /home instead of gui so that its easier to see the permissions of default user home directories and see user and their groups.

all users home directory must be 700

So if I do

umask 0700, will that fix things for when I create further new users? i.e. prevent others from seeing there folders?

umask usually subtracts like 0700 from 0777 = 0077
other than owner, "group and others can access"

This is confusing.

I want the users to have secure files and folders which no one else can get too.

umask 077?

No, umask is subtractive from the actual permissions. The umask you want is 077. If you want to fix the existing directories to those permissions you would type: chmod 700 /home/account

You should probably also chmod /home to 711 to prevent directory listings there.

Yes.

Actually for what he's looking for he wants 711 for /home not 755. 755 will allow users to see the other users home directories. 711 will not.

i am sorry i have not read that.

Just examine the permissions each grants:

755 = drwxr-xr-x
711 = drwx--x--x

755 means:
Owner - List, Create+Delete, Make Working Directory
Group - List, Make Working Directory
Everyone - List, Make Working Directory

711 means:
Owner - List, Create+Delete, Make Working Directory
Group - Make Working Directory
Everyone - Make Working Directory

Being able to change to a directory doesn't necessarily imply the need to be able to list the contents of the directory. The normal permission for the home directory are 755. However, if you want to prevent your users from being able to see the contents of the home directory you can change that to 751 (if some groups need to be able to see the contents) or 711 (if no one but the owner of the directory needs to see the contents.)

thanks :) :)

Something is not right. I did the above and I got this?

I then added a new user "user5" and the permissions are different. I also added "new file "2 and "untitled folder 1" to "user" and there permissions are different too??.

What is that?

I think

chmod -R 0700 /home/

is better. It gives me

linux:/home/user# ls -ld /home/*
drwx------ 12 user user 4096 2008-12-17 21:42 /home/user
drwx------ 2 user2 user2 4096 2008-12-17 21:35 /home/user2
drwx------ 2 user3 user3 4096 2008-12-17 21:36 /home/user3
drwx------ 2 user4 user4 4096 2008-12-17 21:44 /home/user4
drwx------ 2 user5 user5 4096 2008-12-17 21:48 /home/user5
linux:/home/user# ls -ld /home/user/*
drwx------ 2 user user 4096 2008-12-17 21:34 /home/user/Desktop
-rwx------ 1 user user 0 2008-12-17 21:41 /home/user/new file
-rwx------ 1 user user 0 2008-12-17 21:42 /home/user/new file 1
-rwx------ 1 user user 0 2008-12-17 21:58 /home/user/new file 2
drwx------ 2 user user 4096 2008-12-17 21:40 /home/user/untitled folder
drwx------ 2 user user 4096 2008-12-17 21:58 /home/user/untitled folder 1
linux:/home/user#

Which umask value do I need to get all further new users accounts to be created with the same permissions and all new files and folders to be created with the same permissions?

Hya,

It is not my intention, if anybody thinks I am hijacking.

The original post mentions also. How to take care of files under /tmp? Most of the programs are careful enough, but not all. Also, the names there may be indicative of something.

Happy Penguins!

I think I have "almost" figured it out...

You don't actually want files to be -rwx------ you want them to be -rw------- otherwise they'll act as scripts that attempt to execute when you type ./new file

If the actual /home directory itself is 700 your users won't be able to access their own home directories. You also don't want to set execute bit on things that don't need it... so doing a recursive chmod may not be the best idea. Let me demonstrate:

Understand? If you deny the users the ability to change their working directory to /home you deny them the ability to be in any of the sub directories also... eg: their home directory.

umask 077 is the permissions you want, it defaults permissions to equiv chmod perms of 700 for directories and 600 for files.

Directories (700):
rwx for owner,
nothing for group,
nothing for everyone else.

Files (600):
rw for owner
nothing for group,
nothing for everyone else.

The short version:
Set a system wide umask in /etc/login.defs /etc/profile /etc/bash.bashrc or whatever your system supports. I would suggest also setting it in roots .bashrc or whatever rc file is used for your login shell. I would say your current default is set to 066 based on the home directories, but it should be 077. Then to fix your existing permissions ...

chmod 711 /home
chmod 700 /home/user1 /home/user2 /home/user3 /home/user4 /home/user5

As long as the umask is in your system profile then all newly created users will be made with 700 directories and 600 files. Recursive chmod can be problematic... be very very careful with anything recursive.

Personally, I prefer being able to select more accurately the files I want when chmoding recursively than chmod itself will allow, so typically I do something like this if I need a recursive change...

find /home/user1 -type d -exec chmod 700 {} \;
find /home/user1 -type f -exec chmod 600 {} \;

I've changed umash to 077 in many files, but it is still being overwritten by the default 022. I can't figure out which file is doing the overwriting.

It really depends on how behaved the programs you're running are going to be. Setting the umask system wide is a good start. Many programs also support letting you set the tmp directory somewhere else which is useful (~/tmp for example.) You kinda have to judge it on a case by case basis since some programs totally ignore umask and create files accessible by anyone and everyone in /tmp (and there are a few programs that require files to be wide open and there's not a lot you can do about it.) If they're not being very behaved then you may have to run a script that watches the directory and sets the correct permissions for specific things.

Shrug.

Try this:

That should show you the locations where umask is being set. Don't forget to logout and back in after making the changes so they take effect (or source your .bashrc file if a change is made there.)

Might also want to make changes to umask in /etc/skel/.* files also if any of them are setting it (so newly created users get the correct umask set by default.)

This thread is also going on over on the Debian boards, there's some relevant info there that hasn't been posted here yet. http://forums.debian.net/viewtopic.php?p=195859

I ran for following after su'ing into root:

grep -i "umask" /etc/*

and

grep -i "umask" ~/.*

and found that there were umask entries in the following files

/etc/profile
~/.bashrc

I changed the umask entry in /etc/profile from 022 to 077 and commented out the umask entry in ~/.bashrc

Because of the current bug, I added

umask 002

to /etc/gdm/Xsession

After restarted the system, I logged in as a standard user, created a file, checked the permissions and the permissions are set to

-rw-rw-r--

What have I missed out?

Nevermind, got it working by changing 002 to 077 in /etc/gdm/Xsession.

umask 002 = 664 (files) = rw-rw-r--

For what you described umask should be 077 *everywhere* including the /etc/profile, /etc/login.defs, /etc/skel/.bashrc, /root/.bashrc, /etc/gdm/Xsession, etc. The less programs that can weasel around the umask the better. Someone else mentioned /etc/adduser.conf DIR MODE and it should be 700. etc... anywhere you can find to set it... set it.

There ya go :)

How do I scan all the files in my harddrive to find all umask's

grep -i "umask" /etc/*

will only look in the folder /etc/

and

grep -i "umask" ~/.*

will only look into my home folder.

You don't really need to look in the whole system, but looking through the sub directories of /etc wouldn't hurt... try:

(i case insensitive, R recursive, I ignore binary) (v invert match)

Most of the /etc/rcX.d stuff can be safely ignored also.