[Adduser-devel] Bug#398793: Default Homedir Permissions

Roger Leigh rleigh at codelibre.net
Thu Feb 17 14:58:36 UTC 2011 

On Thu, Feb 17, 2011 at 03:31:18PM +0100, Olaf van der Spek wrote:
> On Thu, Feb 17, 2011 at 2:44 PM, Ian Jackson
> <ijackson at chiark.greenend.org.uk> wrote:
> > Olaf van der Spek writes ("Default Homedir Permissions"):
> >> Default homedir permissions are 755. World-readable (and listable).
> >> Common (security) sense says that permissions that are not required
> >> should not be granted. For example, accounts mysql and www-data should
> >> not have access to my documents.
> >
> > I disagree with this conclusion, because I disagree with the
> > underlying implication that the general readability of files is not
> > needed.
> 
> > Most installed systems have a smallish number of users who know each
> > other reasonably well and would like to be able to share files.  It
…
> > So the default is correct.
> >
> > Perhaps it might be reasonable to try to find a way for accounts like
> > msql and www-data not to be able to access home directories (add
> > "daemon" to their supplementary group list and set the permissions of
> > /home 0705 to root.daemon, perhaps), but is this really worthwhile ?
> 
> That would be another violation of general security principles (access
> control based on exlcusion instead of inclusion);

There are obviously differences of opinion in our expectations of
"how secure" a default installation should be.

Should it be locked down like Fort Knox?

Should it be generally usable, and easy for users to see each other's
stuff?

In general, I think it's fair to say that the average Debian
installation does not require Fort Knox levels of security.  Simply
allowing other people to read our files is often something desirable;
if I have something especially secret, I'll take steps to make sure
it's not readable or writeable by anyone except me.  But in general,
it's not a bad thing that others can see my stuff.  I can always keep
private things in a 0700 subdirectory.

Even on the massively shared systems I use, it's common for home
directories to be readable by default, so you can let other people
access your data, scripts, git repos, or whatever.

I can see that in some circumstances you might well want total control
over who can see your files, but unless you're dealing with TOP SECRET
stuff, I am not convinced that this is something the typical user would
wish to have by default.  Are there any common use cases which require
this?


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20110217/ba51fd40/attachment.pgp>

More information about the Adduser-devel mailing list