Slackware This Forum is for the discussion of Slackware Linux.
|
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-01-2006, 01:50 AM
|
#1
|
Member
Registered: Jan 2006
Location: Pittsburgh, PA, US
Distribution: Arch
Posts: 69
Rep:
|
Any issues with chmod 700 on /home/{* user}?
I'm using Slackware 10.2 which is creating new users home directories chmod 711. While this prevents ls'ing in another users directory, I can read most known files as any user.
For example:
less /home/{user}/.bash_history (as a side note, I just tried to tab complete /h{TAB} while typing this post - LOL)
Firefox & Thunderbird would probably be good candidates also.
Would any applications have problems if I locked the dirs up to 700?
Last edited by onedingo; 06-07-2006 at 09:38 PM.
|
|
|
06-01-2006, 03:42 AM
|
#2
|
Senior Member
Registered: Feb 2006
Location: Seattle, WA: USA
Distribution: Slackware 11.0
Posts: 1,191
Rep:
|
Nope, if you are running the app as userjoe then that app will have all the permissions userjoe has (in this case rwx). That's not a bad idea at all, you should not have any files in the home directory you plan on sharing to other users anyways.
regards,
...drkstr
|
|
|
06-07-2006, 06:01 PM
|
#3
|
HCL Maintainer
Registered: Jun 2003
Location: McCalla, AL, USA
Distribution: Arch, Gentoo
Posts: 6,941
Rep:
|
It appears that you've got something setup incorrectly in your Slackware system.
By default Slackware-10.2 sets users /home directories 711, and users therefore cannot read each other's files. If yours can, then you've changed something else (perhaps in /etc/group).
As for your tab completion, if you enter "less /h(tab)" it is going to autocomplete "less /home/" in a default Slackware system. It will also complete another users name, but not any filenames below that directory.
Examples:
Code:
mingdao@paul:~$ less /home/bruce/
That's as far as user mingdao can autocomplete on user bruce. The system will NOT even ls the directory as it would for user mingdao.
Code:
mingdao@paul:~$ less /home/bruce/.bash_history
/home/bruce/.bash_history: Permission denied
mingdao@paul:~$
The system will NOT let user mingdao view any of user bruce's files ... period.
Code:
mingdao@paul:~$ su bruce
Password:
bruce@paul:/home/mingdao$ cd
bruce@paul:~$ less /home/mingdao/.bash_history
/home/mingdao/.bash_history: Permission denied
bruce@paul:~$
Same with user bruce trying to look at user mingdao's files.
From "man chmod"
Code:
A numeric mode is from one to four octal digits (0-7), derived by adding up the
bits with values 4, 2, and 1. Any omitted digits are assumed to be leading zeros.
The first digit selects the set user ID (4) and set group ID (2) and save text
image [`sticky'] (1) attributes. The second digit selects permissions for the
user who owns the file: read (4), write (2), and execute (1); the third selects
permissions for other users in the file's group, with the same values; and the
fourth for other users not in the file's group, with the same values.
I suspect you've changed something from the default Slackware setup...
|
|
|
06-07-2006, 07:38 PM
|
#4
|
Member
Registered: Jan 2006
Location: Pittsburgh, PA, US
Distribution: Arch
Posts: 69
Original Poster
Rep:
|
When I said /h{tab}, I meant I did this in the forum's text form entry box.
.bash_history may be a bad example, as it is usually 600. If a user rm's it and then creates a new one, it will default to 755 depending on umask. That really doesn't clear their history anyway as it is written on logout.
Do this:
user-a$ cd
user-a$ cat test > test.txt
Logout user-a & login user-b
user-b$ cat /home/user-a/test.txt
By default, Slackware's permissions should allow the file to be read.
|
|
|
06-07-2006, 08:41 PM
|
#5
|
HCL Maintainer
Registered: Jun 2003
Location: McCalla, AL, USA
Distribution: Arch, Gentoo
Posts: 6,941
Rep:
|
Evidence:
Here it is, mate:
Code:
mingdao@silas:~$ cat test > test.txt
cat: test: No such file or directory
mingdao@silas:~$ vi test
mingdao@silas:~$ cat test > test.txt
mingdao@silas:~$ su bruce
Password:
bruce@silas:/home/mingdao$ cat test.txt
Rob's example...
bruce@silas:/home/mingdao$ ls -lh
ls: .: Permission denied
bruce@silas:/home/mingdao$ exit
mingdao@silas:~$ ls -lh /home/bruce/
/bin/ls: /home/bruce/: Permission denied
mingdao@silas:~$
I stand corrected, as I didn't read your post well enough.
So if the other user knows the filename he can read it.
But if not, it's a moot point, as you can't "ls" another user.
Some other interesting asides...
Firefox will not allow you to cd to another user's directory,
using the menu File > Open File... (or Ctrl+O).
Entered in the Firefox address bar:
file:///home/bruce/test.txt
returns this result:
Code:
Firefox can't find the file at /home/bruce/test.txt.
Firefox can't read even known files.
Code:
mingdao@silas:~$ su bruce
Password:
bruce@silas:/home/mingdao$ cat test
Rob's example w/out ext...
bruce@silas:/home/mingdao$ rm test
rm: remove write-protected regular file `test'? yes
rm: cannot remove `test': Permission denied
bruce@silas:/home/mingdao$ vi test
Rob's example w/out ext...
~
~
~
Read test [READONLY], 1 lines, 27 chars 1,1 Command
I don't think it's a security issue, or problem, but how Slackware is designed. You can read other user's files if you know their names and path (more than just the filename), but you cannot change them; because they're created 644.
In response to your original question, I don't know as I've never done that. Just chmod it and try.
But wouldn't it be easier to chmod an individual file that you didn't want another user to read?
Or if it's top-secret material you can encrypt it with "gpg -r <recipient> -e <file>" and only that recipient can read it ... provided you're good enough creating the passwd.
How many different people (not users) use that box?
If you're the only user, this question is as the Chinese say "er bai wu." If there are other people using the box, perhaps a little creativity would prevent even the necessity of chmod'ing?
Where I live, because of the work I do, we use GnuPG for anything that we don't want someone else to read. There are a myriad of files, however, than even you are welcome to read.
|
|
|
06-07-2006, 09:15 PM
|
#6
|
Member
Registered: Jan 2006
Location: Pittsburgh, PA, US
Distribution: Arch
Posts: 69
Original Poster
Rep:
|
Let's think of this:
A user of the system needs remote access (SSH) but does a lousy job of picking/protecting passwords. Somehow their account is compromised and an attacker gains user access. It would not be hard to read some other users known files such as: (and I'm doing this from memory and a WinXP machine as I don't have Linux available right now):
/home/user-a/.thunderbird/profiles.ini // This will give you the info to defeat the "random" directory
/home/user-a/.thunderbird/Profiles/XXXXXXX.XXX/Mail/Local Folders/Inbox
/home/user-a/.thunderbird/Profiles/XXXXXXX.XXX/abook.mab
Of course, all this is unlikely but possible.
|
|
|
06-07-2006, 09:24 PM
|
#7
|
Senior Member
Registered: Feb 2006
Location: Seattle, WA: USA
Distribution: Slackware 11.0
Posts: 1,191
Rep:
|
which is why those folder gets 700 by default ...at least on my system it does. Is this different on yours?
regards,
...drkstr
|
|
|
06-07-2006, 09:46 PM
|
#8
|
Member
Registered: Jan 2006
Location: Pittsburgh, PA, US
Distribution: Arch
Posts: 69
Original Poster
Rep:
|
Yep. 711. Read first post.
*EDIT* oops! I thought you meant the home dirs, not the thunderbird ones. Mine must of got screwed up after transfering from a Windows machine.
Last edited by onedingo; 06-07-2006 at 10:30 PM.
|
|
|
06-07-2006, 09:48 PM
|
#9
|
HCL Maintainer
Registered: Jun 2003
Location: McCalla, AL, USA
Distribution: Arch, Gentoo
Posts: 6,941
Rep:
|
Quote:
Originally Posted by onedingo
Let's think of this:
A user of the system needs remote access (SSH) but does a lousy job of picking/protecting passwords. Somehow their account is compromised and an attacker gains user access. It would not be hard to read some other users known files such as: (and I'm doing this from memory and a WinXP machine as I don't have Linux available right now):
/home/user-a/.thunderbird/profiles.ini // This will give you the info to defeat the "random" directory
/home/user-a/.thunderbird/Profiles/XXXXXXX.XXX/Mail/Local Folders/Inbox
/home/user-a/.thunderbird/Profiles/XXXXXXX.XXX/abook.mab
Of course, all this is unlikely but possible.
|
How would an attacker take over an SSH session? One of us doesn't properly understand SSH...
So, assuming (but how would he?) a cracker "took over an ssh session" -- then...
Code:
mingdao@silas:~$ less /home/bruce/.thunderbird/profiles.ini
mingdao@silas:~$ less /home/bruce/.thunderbird/<munged>.default/Mail/Local\ Folders/Inbox
/home/bruce/.thunderbird/<munged>.default/Mail/Local Folders/Inbox: Permission denied
As dkstr told you:
Code:
mingdao@silas:~$ ls -alh /home/mingdao/.thunderbird/
total 18K
drwxr-xr-x 3 mingdao users 136 2006-04-11 21:44 ./
drwx--x--x 60 mingdao users 9.3K 2006-06-08 08:15 ../
-rw-r--r-- 1 mingdao users 335 2006-04-11 21:44 appreg
-rw-r--r-- 1 mingdao users 94 2006-04-11 21:44 profiles.ini
drwx------ 7 mingdao users 1.1K 2006-06-07 11:50 <munged>.default/
Nope ... 700 --check again.
P.S. You wouldn't cat mine --
/home/mingdao/.thunderbird/<munged>.default/Mail/Local\ Folders/Inbox lines 1-26/2579005 0%
-- you'd lock up your cracker box.
Case closed...
|
|
|
All times are GMT -5. The time now is 09:51 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|