Date: Mon, 25 Oct 2004 13:15:54 -0400 From: Chris Humphries <chris@burst.net> To: freebsd-security@freebsd.org Cc: Jesper Wallin <jesper@hackunite.net> Subject: Re: Default permissions of /home/user.. Message-ID: <200410251315.55344.chris@burst.net> In-Reply-To: <1357.213.112.198.199.1098562966.squirrel@mail.hackunite.net> References: <1323.213.112.198.199.1098388008.squirrel@mail.hackunite.net> <52757.10.0.0.10.1098560266.squirrel@10.0.0.10> <1357.213.112.198.199.1098562966.squirrel@mail.hackunite.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Saturday 23 October 2004 04:22 pm, Jesper Wallin wrote: > Hello.. > > Sure, this works nice.. but yet, I did have to modify /usr/sbin/adduser .. > Also, some of you said it's bad having a homedir chmod 700, how come? Let's > say I use the account for coding, IRC perhaps, mail, etc.. none of those > things require more access than 700? All I can think of is public_html > which need o+x so nobody and/or www can access that directory.. I know, > FreeBSD isn't Linux but most Linux systems run the same programs such as > postfix, mysql, apache, openssh, etc.. and I know some distributions (like > gentoo for example) which chmod it to 700 by default.. :) > > Wouldn't it be nice to add a default option for this in adduser.conf, like > chmod=755? Since there seem to be more than just me asking for such > feature. ;) > IMO, the OS should apply the most useful permissions. If home directory permissions are a problem, then running a script that tightens down everything is more appropriate. I have scripts that I run on servers that apply whatever settings and permissions I desire, after initial creation of the user[/group] and directories. That includes default directory and acl setup. Just like a default install of the OS should never be stuck directly on the net, default user creation should not allow the user right after... unless that is what you like to do, heh. I do not believe this is something that should be part of the OS, but should be something that is part of whatever set of utilities you use and are required of you or your team locally. > > Best regards, > Jesper Wallin > > ps, thanks for all replies :D > > >> Sorry for my mistake - you use FreeBSD 5. The adduser command was > >> changed to > >> sh script in it. I do not use 5, so sorry again. > >> > >> If your /usr/sbin/adduser has in the start of lines 278 to 280 word > >> "_pwcmd", add something like this after line 280: > >> _pwcmd="$_pwcmd && chmod 700 $_home" > >> > >> Command stored in $_pwcmd is executed on line 282. The user should be > >> added > >> and homedir should be created. The addition above should chmod its > >> homedir to 700 (drwx------) automatically. > >> > >> !!! AGAIN, NOT TESTED !!! > >> > >> Peter Rosa > > > > Just a quick correction, you'll want to chmod $uhome not $_home. Having > > done that, you can consider your suggestion tested and working. > > > > Mark Magiera > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > > "freebsd-security-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200410251315.55344.chris>