[Adduser-devel] Bug#398793: Default Homedir Permissions
Roger Leigh
rleigh at codelibre.net
Thu Feb 17 14:58:36 UTC 2011
On Thu, Feb 17, 2011 at 03:31:18PM +0100, Olaf van der Spek wrote:
> On Thu, Feb 17, 2011 at 2:44 PM, Ian Jackson
> <ijackson at chiark.greenend.org.uk> wrote:
> > Olaf van der Spek writes ("Default Homedir Permissions"):
> >> Default homedir permissions are 755. World-readable (and listable).
> >> Common (security) sense says that permissions that are not required
> >> should not be granted. For example, accounts mysql and www-data should
> >> not have access to my documents.
> >
> > I disagree with this conclusion, because I disagree with the
> > underlying implication that the general readability of files is not
> > needed.
>
> > Most installed systems have a smallish number of users who know each
> > other reasonably well and would like to be able to share files. It
…
> > So the default is correct.
> >
> > Perhaps it might be reasonable to try to find a way for accounts like
> > msql and www-data not to be able to access home directories (add
> > "daemon" to their supplementary group list and set the permissions of
> > /home 0705 to root.daemon, perhaps), but is this really worthwhile ?
>
> That would be another violation of general security principles (access
> control based on exlcusion instead of inclusion);
There are obviously differences of opinion in our expectations of
"how secure" a default installation should be.
Should it be locked down like Fort Knox?
Should it be generally usable, and easy for users to see each other's
stuff?
In general, I think it's fair to say that the average Debian
installation does not require Fort Knox levels of security. Simply
allowing other people to read our files is often something desirable;
if I have something especially secret, I'll take steps to make sure
it's not readable or writeable by anyone except me. But in general,
it's not a bad thing that others can see my stuff. I can always keep
private things in a 0700 subdirectory.
Even on the massively shared systems I use, it's common for home
directories to be readable by default, so you can let other people
access your data, scripts, git repos, or whatever.
I can see that in some circumstances you might well want total control
over who can see your files, but unless you're dealing with TOP SECRET
stuff, I am not convinced that this is something the typical user would
wish to have by default. Are there any common use cases which require
this?
Regards,
Roger
--
.''`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/
`- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20110217/ba51fd40/attachment.pgp>
More information about the Adduser-devel
mailing list