From owner-freebsd-security@FreeBSD.ORG Sun Oct 24 21:33:56 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8BACD16A4CE for ; Sun, 24 Oct 2004 21:33:56 +0000 (GMT) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3735243D2D for ; Sun, 24 Oct 2004 21:33:56 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from [192.168.1.3] (pool-68-160-246-51.ny325.east.verizon.net [68.160.246.51]) by pi.codefab.com (8.12.11/8.12.11) with ESMTP id i9OLXnwN050612 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 24 Oct 2004 17:33:52 -0400 (EDT) Message-ID: <417C1FB9.2090909@mac.com> Date: Sun, 24 Oct 2004 17:33:45 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jesper Wallin References: <1323.213.112.198.199.1098388008.squirrel@mail.hackunite.net> <008401c4b868$ffd64ac0$3501a8c0@pro.sk> <00ab01c4b870$a3024760$3501a8c0@pro.sk> <52757.10.0.0.10.1098560266.squirrel@10.0.0.10> <1357.213.112.198.199.1098562966.squirrel@mail.hackunite.net> In-Reply-To: <1357.213.112.198.199.1098562966.squirrel@mail.hackunite.net> X-Enigmail-Version: 0.86.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=0.0 required=5.5 tests=AWL autolearn=ham version=2.64 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on pi.codefab.com cc: freebsd-security@freebsd.org Subject: Re: Default permissions of /home/user.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Oct 2004 21:33:56 -0000 Jesper Wallin wrote: > Sure, this works nice.. but yet, I did have to modify /usr/sbin/adduser .. Also, some of > you said it's bad having a homedir chmod 700, how come? Let's say I use the account for > coding, IRC perhaps, mail, etc.. none of those things require more access than 700? If you want to set up a highly secure user-account, using permissions of 700 is reasonable. However, it may not be sufficient, which is why chroot() and jails are available to create more restricted environments. One creates a "bind" user and chroot()s named to run inside /var/named, for example. You also should think about the umask being used. Historically, the default umask was 022. You seem to want something like 027 or 077. > All I can think of is public_html which need o+x so nobody and/or www can access that > directory.. I know, FreeBSD isn't Linux but most Linux systems run the same programs > such as postfix, mysql, apache, openssh, etc.. and I know some distributions (like > gentoo for example) which chmod it to 700 by default.. :) FreeBSD would prefer you to set up a group for each user, with GID == UID. This lets you use a umask of 002, and be able to share write access with other people who are in the same group. This is not significant to the owner of the file, who has user-mode access as well, but it lets the admin create new groups for a project, and users can chgrp files they want to share from their personal GID to the project GID. -- -Chuck