Date: Sun, 26 Oct 2008 16:58:48 +0100 From: dick hoogendijk <dick@nagual.nl> To: freebsd-questions@freebsd.org Subject: Re: restrict FreeBSD users to their home directory Message-ID: <20081026165848.f720da24.dick@nagual.nl> In-Reply-To: <20081026131450.GA82837@slackbox.xs4all.nl> References: <20081026085332.GA97254@slackbox.xs4all.nl> <NBECLJEKGLBKHHFFANMBGECCCMAA.joeb@a1poweruser.com> <20081026131450.GA82837@slackbox.xs4all.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 26 Oct 2008 14:14:50 +0100 Roland Smith <rsmith@xs4all.nl> wrote: > On Sun, Oct 26, 2008 at 08:19:51PM +0800, joeb wrote: > <snip> > >> > I don't want them to be able see any system directories or other > >> > users? > >> > >> User directories are by default both owned by the user and belong > >> to the user's group. So you can set the umask for every user so > >> that their files are not accessible to others. > >> > >> You cannot block read and execute access to a lot of system files > >> (binaries, libraries, /usr/[local/]share/) without making the > >> system useless. > >> > >> What is the problem you're trying to solve? Blocking read access to > >> system files is almost certainly the wrong solution. > >> > > Want to keep all the users from being able to see anything outside > > of their home directory using gnome or kde desktop. > > I ask again, why? The only thing I can imagine is that he is worried about the privacy of other users files. If that is the case a chmod 700 on the directories and a chmod 600 on the (user) files would give a little privacy for others. It's very difficult to see each others files that way. As you already stated: system files are a totally different story. Users should not have to worry about them. > Realize that if the users have physical access to the machine, these > security measures are _useless_. A hostile user could take out the > harddisk, put it in a machine where he has a root account and read all > the disk's contents (unless it's encrypted). You're right here but I get the feeling this is beside the point of the OP question. ;-) -- Dick Hoogendijk -- PGP/GnuPG key: 01D2433D ++ http://nagual.nl/ + SunOS sxce snv99 ++
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081026165848.f720da24.dick>