Quote:
Originally Posted by mashcaster
I did
chmod -R 0711 /home
user@debian:~$ su
Password:
debian:/home/user# ls -ld /home/*
drwx--x--x 20 user user 4096 2008-12-17 20:03 /home/user
drwx--x--x 11 user2 user2 4096 2008-12-17 19:56 /home/user2
debian:/home/user#
Is that the best way?
|
Those permissions mean this:
d <- Directory
rwx <- Read Write eXecute for User
--x <- eXecute for Group
--x <- eXecute for Everyone
For directory purposes read means being able to list contents, write means delete and create new contents, and execute means you can make the directory your current working directory.
For file purposes read means being able to view the contents of the file, write means being able to change the contents of the file, and execute means being able to run the file (binary or script).
There are also special permissions you can set additionally, but we'll avoid those for the moment being as they're not presently relevant.
For the purposes of what you're looking to do you pretty much want any personally owned directories to be permissions 700 and shared directories (that they don't need to be able to list the contents of) to be 711. For file permissions you're pretty much looking at a unilateral 600. Things won't get real tricky till you attempt to deal with /tmp.
Try this:
chmod 700 /home/user /home/user2
Permissions for files and folders work slightly differently. If you wish to make it so users can't see the home directories you'll have to deny them the ability to get a directory listing for the /home directory or chroot them into their home directory.
chmod 711 /home
Will remove the users ability to get a directory list in /home but still be able to access content under their own directory.
Of course, if you are logged in as root or a given program is functioning as root you more or a less can do anything you please.
Putting a restrictive umask will be necessary if you want to keep things remaining relative private.
It looks like you're using umask 066, you want to use umask 077 most likely.
Code:
me@here$ umask 066 && mkdir foo && touch bar
me@here$ umask 077 && mkdir foo2 && touch bar2
me@here$ ls -l
total 8
-rw------- 1 me me 0 2008-12-17 13:54 bar <- (Effective chmod 600)
-rw------- 1 me me 0 2008-12-17 13:54 bar2 <- (Effective chmod 600)
drwx--x--x 2 me me 4096 2008-12-17 13:54 foo <- (Effective chmod 711)
drwx------ 2 me me 4096 2008-12-17 13:54 foo2 <- (Effective chmod 700)
me@here$
However, remember umask only works on newly created directories and files after it is set. You probably want to set it in the system wide profile for what you're attempting to do. Also remember this kind of security is only as good as being able to prevent the user from getting root access... if they can sudo or su to root they can circumvent all the safeguards you're putting in place completely. Make your root password *very* secure. Keep the system completely updated.