Re: [SLE] more on umask

From: James Knott (james.knott_at_rogers.com)
Date: 08/24/05

  • Next message: pelibali: "Re: [SLE] Screensaver fix." 
    Date: Wed, 24 Aug 2005 13:44:29 -0400
To: suse-linux-e@suse.com

    Jos van Kan wrote:
    > James Knott wrote:
    >>
    >>
    >> Forgot to mention, the default configuration in SuSE has everyone in the
    >> "users" group and then gives group members read access to all the home
    >> directories. In Red Hat, each user is given his own group, which keeps
    >> others out of his home directory. To do this in SuSE, you either have
    >> to change the user's group after creating the user or use Webmin to
    >> create the user. It's also a good idea to change /etc/skel, to remove
    >> the group permissions, when a user is created. I have no idea why SuSE
    >> fails on this issue, when they're supposed to be so focused on security.
    >
    > I fail to see what this has got to do with security. It completely
    > defeats the group idea to give every user its own group. But if you want
    > to keep everyone out of your files and directories nothing stops you
    > from chmod'ing the lot to y00, y=0..7

    The security problem is that:

    a) Every user is a member of users
    b) In the default install, every member of the groug users has access to
    the home directory of every other user.

    This means that I, as a member of group users can read the contents of
    your personal documents in your home directory.

    If you want to share files with the group, create a directory for that
    group and every member of that group has access to that shared
    directory. A user shouldn't have to take action, to keep others out of
    his home directory.

    As an experiment, create another user on your system and create a text
    document in the home directory for that user. Then, log in as yourself
    and try reading that file. Then log in as that other user and try
    accessing files in your home directory. Tell me again about the
    security of that setup. 

    -- 
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@suse.com
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@suse.com
  • Next message: pelibali: "Re: [SLE] Screensaver fix."

    Relevant Pages

    • Re: [SLE] more on umask
      ... > that group and every member of that group has access to that shared ... > text document in the home directory for that user. ... > yourself and try reading that file. ... > the security of that setup. ...
      (SuSE)
    • Re: 8.04 still a fine version
      ... I am not a security expert either but what makes Linux 99.9999% more ... If some malware does get thru ... only to whatever is the user's HOME directory; ... your chances of being 'hacked' by using a Linux distro are ...
      (Ubuntu)
    • Re: FHS Question Dual-Boot suse and mandrake
      ... > so that my coworkers and I can learn more about suse and mandrake. ... reinstall your common applications on each distro/version. ... > same home directory in local directory regardless of the machine they're using ... I have noticed some conflicts with KDE and/or gnome ...
      (alt.os.linux.suse)
    • Re: Creating a user without homedir ?
      ... You are right, SuSE 9.2 does not ... > use yast to add the user. ... There is a tiny tick box 'delete home directory', ... >> According to a manual I found online for securing Apache ...
      (alt.os.linux.suse)
    • Re: home directory
      ... >> Obviously that wouldn't do any harm, ... likely wants the program to consider as his home directory is a pure bonus. ... > int main{ ... writing a program that deals with security even though he mentioned nothing ...
      (comp.os.linux.development.apps)