Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian User (http://www.linux-archive.org/debian-user/)
-   -   Disallow other users from reading my $HOME (http://www.linux-archive.org/debian-user/305438-disallow-other-users-reading-my-home.html)

Dotan Cohen 01-06-2010 08:16 PM

Disallow other users from reading my $HOME
 
What are good permissions to use for one's home directory so that
other users on the system could not read or otherwise access my files?
Is 700 too paranoid? Should it be 755 like I see so many times? Will I
have problems with 750?

Thanks in advance for ideas.


--
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Ken Teague 01-06-2010 08:30 PM

Disallow other users from reading my $HOME
 
On Wed, Jan 6, 2010 at 1:16 PM, Dotan Cohen <dotancohen@gmail.com> wrote:

What are good permissions to use for one's home directory so that

other users on the system could not read or otherwise access my files?

Is 700 too paranoid? Should it be 755 like I see so many times? Will I

have problems with 750?

If you don't want others to have access to your home directory, use mode 700.* Personally, I don't find it to be too paranoid, and prefer it that way.

green 01-06-2010 08:30 PM

Disallow other users from reading my $HOME
 
Dotan Cohen wrote at 2010-01-06 15:16 -0600:
> What are good permissions to use for one's home directory so that
> other users on the system could not read or otherwise access my files?
> Is 700 too paranoid? Should it be 755 like I see so many times? Will I
> have problems with 750?

For files that already exist, I would use
u=rwX,g=rX,o=
I do not know how that translates to the number.
Note that will leave execution bits on non-directory files that already have
them for some user.

I use umask 0027 so that new files have permissions -rw-r-----.

Ken Teague 01-06-2010 08:59 PM

Disallow other users from reading my $HOME
 
On Wed, Jan 6, 2010 at 1:30 PM, green <greenfreedom10@gmail.com> wrote:


For files that already exist, I would use

*u=rwX,g=rX,o=

I do not know how that translates to the number.

Note that will leave execution bits on non-directory files that already have

them for some user.



I use umask 0027 so that new files have permissions -rw-r-----.

In his original e-mail, Mr. Cohen is looking for permissions so that other users can not read or access his data.* Correct me if I'm wrong, but that pretty much leaves us with mode 700, umask 077.

green 01-06-2010 09:40 PM

Disallow other users from reading my $HOME
 
Ken Teague wrote at 2010-01-06 15:59 -0600:
> On Wed, Jan 6, 2010 at 1:30 PM, green <[1]greenfreedom10@gmail.com> wrote:
> > For files that already exist, I would use
> > u=rwX,g=rX,o=
> > I do not know how that translates to the number.
> > Note that will leave execution bits on non-directory files that already have
> >them for some user.
> >
> > I use umask 0027 so that new files have permissions -rw-r-----.
>
> In his original e-mail, Mr. Cohen is looking for permissions so that other
> users can not read or access his data. Correct me if I'm wrong, but that
> pretty much leaves us with mode 700, umask 077.

Hmm, you are correct. I carelessly assumed that (1) any files owned by groups
other than his personal group (owned by other than user:user), and (2) any
users in his personal group, were that way for a reason.

But he probably doesn't want all his files marked as executable.

$ umask 0077
$ touch abc
$ ls -lh abc
-rw------- 1 user user 0 2010-01-06 16:36 abc
$ chmod 700 abc
$ ls -lh abc
-rwx------ 1 user user 0 2010-01-06 16:36 abc

So I change my suggestion to
u=rwX,g=,o=

Is that possible with numeric form (the execute bit)?

Jochen Schulz 01-06-2010 09:46 PM

Disallow other users from reading my $HOME
 
Ken Teague:
>
> In his original e-mail, Mr. Cohen is looking for permissions so that other
> users can not read or access his data. Correct me if I'm wrong, but that
> pretty much leaves us with mode 700, umask 077.

Correct me if I am wrong, but for files created inside $HOME, the umask
doesn't matter if $HOME itself has mode 700.

J.
--
I am on the payroll of a company to whom I owe my undying gratitude.
[Agree] [Disagree]
<http://www.slowlydownward.com/NODATA/data_enter2.html>

Bob McGowan 01-06-2010 10:11 PM

Disallow other users from reading my $HOME
 
Jochen Schulz wrote:
> Ken Teague:
>> In his original e-mail, Mr. Cohen is looking for permissions so that other
>> users can not read or access his data. Correct me if I'm wrong, but that
>> pretty much leaves us with mode 700, umask 077.
>
> Correct me if I am wrong, but for files created inside $HOME, the umask
> doesn't matter if $HOME itself has mode 700.
>
> J.

That's correct. With a home directory of 700, no one except the owner
can find any files, be they directories, links, files, etc., under the
home. Period. Doesn't matter what the permissions are, they can't be
found.

And 700 is not excessively paranoid. Since anyone can belong to a
group, it is possible for the "personal" group to have other names added
to it. Using 700 guarantees they have no access, if this should happen.

An alternative setting I've sometimes used is 711. This allows the
owner to send someone the full, spelled out, path to a file, and they
can get it, but nothing else. Setting things this way could be useful,
for sharing only what needs to be shared, with one caveat: experienced
users know the full path for "hidden" configuration files/directories,
so they would all need to change to 600 (files) or 700 (directories) to
be sure they can't be compromised in some way.

--
Bob McGowan


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Ken Teague 01-06-2010 11:05 PM

Disallow other users from reading my $HOME
 
On Wed, Jan 6, 2010 at 2:40 PM, green <greenfreedom10@gmail.com> wrote:
> But he probably doesn't want all his files marked as executable.

"chmod 700 $HOME" will change only the home directory permissions,
which excludes all files that are currently present.

itsme@testbox:~> ls -ld $HOME
drwx------ 19 itsme users 4096 2009-10-13 21:38 /home/itsme
itsme@testbox:~> ls -l $HOME
total 4512
drwx------ 2 itsme users 4096 2009-03-25 18:56 Desktop
-rwxr-xr-x 1 itsme users 541 2009-10-13 20:58 freespace.pl
-rw-r--r-- 1 itsme users 9214 2009-07-20 19:05 stat.txt
drwxr-xr-x 3 itsme users 45 2009-11-18 14:55 tmp
-rw-r--r-- 1 itsme users 210964 2009-02-18 21:26 VRTSralusPatch.tar.gz
-rw-r--r-- 1 itsme users 19539 2009-07-16 18:10 xmacro-pre0.3-20000911.tar.gz
-rw-r--r-- 1 itsme users 4362344 2009-07-16 18:10 xnee-3.03.tar.gz
itsme@testbox:~> su -
Password:
testbox:~ # su - otheruser
testbox /home/otheruser> grep users /etc/group
users:x:100:otheruser
testbox /home/otheruser> less /home/itsme/freespace.pl
/home/itsme/freespace.pl: Permission denied

> $ umask 0077
> $ touch abc
> $ ls -lh abc
> -rw------- 1 user user 0 2010-01-06 16:36 abc

umask 0077 will do exactly as you've shown. It will ensure all future
files will be mode 600. If a file needs the execute bit, it should be
set manually. Files that are included in an archive with the execute
bit set will retain it upon expanding the archive.

testbox /home/otheruser> exit
logout
testbox:~ # exit
logout
itsme@testbox:~> umask 0077
itsme@testbox:~> touch myscript.pl
itsme@testbox:~> ls -l myscript.pl
-rw------- 1 itsme users 0 2010-01-06 18:41 myscript.pl
itsme@testbox:~> chmod 700 myscript.pl
itsme@testbox:~> ls -l myscript.pl
-rwx------ 1 itsme users 0 2010-01-06 18:41 myscript.pl
itsme@testbox:~> tar cvjf myscript.pl.tar.bz2 myscript.pl
myscript.pl
itsme@testbox:~> ls -l mys*
-rwx------ 1 itsme users 0 2010-01-06 18:41 myscript.pl
-rw------- 1 itsme users 128 2010-01-06 18:42 myscript.pl.tar.bz2
itsme@testbox:~> rm myscript.pl
itsme@testbox:~> tar xvjf myscript.pl.tar.bz2
myscript.pl
itsme@testbox:~> ls -l myscript.pl
-rwx------ 1 itsme users 0 2010-01-06 18:41 myscript.pl


If you really want to be paranoid, you could set umask to 0277 so that
all files are mode 400.


> So I change my suggestion to
> u=rwX,g=,o=

This is an answer more suited to meet the needs of Mr. Cohen, but X is
normally intended to be used with -R (recursive) so that all files
that currently contain an execute bit retain that bit, and those that
don't are not set to contain the execute bit. I'd simply use "chmod
700 $HOME" and call it a day.


> Is that possible with numeric form (the execute bit)?

Not from my research. If anyone knows, please share.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

green 01-06-2010 11:29 PM

Disallow other users from reading my $HOME
 
Ken Teague wrote at 2010-01-06 18:05 -0600:
> On Wed, Jan 6, 2010 at 2:40 PM, green <greenfreedom10@gmail.com> wrote:
> > But he probably doesn't want all his files marked as executable.
>
> "chmod 700 $HOME" will change only the home directory permissions,
> which excludes all files that are currently present.

> > So I change my suggestion to
> > u=rwX,g=,o=
>
> This is an answer more suited to meet the needs of Mr. Cohen, but X is
> normally intended to be used with -R (recursive) so that all files
> that currently contain an execute bit retain that bit, and those that
> don't are not set to contain the execute bit. I'd simply use "chmod
> 700 $HOME" and call it a day.

Okay, I was assuming recursion because I have a ~/public_html and symlinks from
it to other files scattered in my $HOME and so a "chmod 700 $HOME" would just
break stuff. Otherwise, just changing $HOME permissions is an excellent
solution.

Ken Teague 01-07-2010 12:33 AM

Disallow other users from reading my $HOME
 
On Wed, Jan 6, 2010 at 4:29 PM, green <greenfreedom10@gmail.com> wrote:
> Okay, I was assuming recursion because I have a ~/public_html and symlinks from
> it to other files scattered in my $HOME and so a "chmod 700 $HOME" would just
> break stuff. *Otherwise, just changing $HOME permissions is an excellent
> solution.

Great point. "chmod 700 $HOME" would make ~/public_html to be not so
public, since, on a Debian box, apache runs under the www-data
account. :) So, if Mr. Cohen has such a configuration, he would need
to relocate his ~/public_html directory (along with all symlinked
scripts or binaries) to a public location that can be accessed by the
www-data account, and modify his apache configuration accordingly. I
have an account on freeshell.net that is configured like this:

[501]itsme@iceland:~$ ls -ld $HOME
drwx------ 16 itsme arpa 1024 Oct 21 18:39 /arpa/nl/i/itsme
[502]itsme@iceland:~$ ls -l html
lrwx------ 1 itsme arpa 16 Jan 26 2009 html -> /www/am/i/itsme
[503]itsme@iceland:~$ ls -ld /www/am/i/itsme
drwxr-x--x 4 itsme nobody 512 Oct 30 19:37 /www/am/i/itsme

This, to me, looks like the most elegant approach.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


All times are GMT. The time now is 05:52 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.