Date: Tue, 23 Jun 1998 20:08:20 -0400 (EDT) From: Open Systems Networking <opsys@mail.webspan.net> To: "Matthew D. Fuller" <fullermd@futuresouth.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: adduser chmod permissions Message-ID: <Pine.BSF.3.95.980623195803.3076A-100000@orion.webspan.net> In-Reply-To: <19980623185357.25223@futuresouth.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 23 Jun 1998, Matthew D. Fuller wrote:
> Well, for starters, you'll need to have at least execute to have web
> directories under ~.
> There's a great difference in philosophy between home dirs and IPFW. If
> you're running IPFW, that's because you want to keep things out. If you
> have home directories, that's because you want users. Part of the
> philosophy that's been with unices from the beginning is sharing of
> information. Having readable home dirs makes that possible.
That is what "group" is for. GROUP sharing of files.
> I've always had my umask as 077. My home dir is readable, but the files
> aren't. If I have files I want to share, I chmod them so they're
> readable (or executable, ATCMB).
> It really comes down to 2 philosophies:
> 1) Share unless there's a reason to not, and
> 2) Hide unless there's a reason to share
> I happen to like 1. It was one of the cornerstones of unix in the first
> place; share unless there's a reason not to, and when not sharing, lock
> it down tight.
Thats hte point of "group" though. IMO you wanna share, fine but do it
with group as i believe it was meant. but do NOT make "other" shareable
I believe "other" covers areas that user and group cant. Kind of like a
wildcare scenario. If we cant get what we want with user/group do it with
"other"
> And as for 'each user in their own group', well, that defeats some of the
> niceness of groups. I have a group user, which all normal users belong
> to, and no others. So if someone breaks in as 'daemon' or 'nobody', they
> can't get at a lot of stuff, whereas normal users have no problem.
But that is what the man page reads AFAICT. At least thats how I
decypher it. Also the argument of users having their own group is not the
issue. THAT is an administrative issue. If the admin wishes to put each
user into their own group or a shared group called users is up to him. I'm
directly dealing with the ability of a users home directory to be safe
from prying eyes by default. No one signs up for unix saying hey, I LOVE
the fact that ANYONE can read my files by default wether I want it or not.
So I think it comes down to a majority rules outlook. Do the majority of
users enjoy having their home directories created by default to be
readable and executable by ANYONE, or do the majority wish to see it
closed to everyone by default. I think this should be revisited.
So I would like to hear everyones input into this. Am I a crazy lunatic
that thinks users, the majority of which dont even know about u,g,o and
permissions, would rather see there home directories NOT viewable and
executable by ANYONE? I mean if the majority of people like the status quo
then naturally dont fix what isn't broken. But if there is a majority that
think "other" should be -rwx, then I think it is worth debating.
Chris
--
"Linux... The choice of a GNUtered generation."
===================================| Open Systems Networking And Consulting.
FreeBSD 2.2.6 is available now! | Phone: 316-326-6800
-----------------------------------| 1402 N. Washington, Wellington, KS-67152
FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net
http://www.freebsd.org | Consulting-Network Engineering-Security
===================================| http://open-systems.net
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2
mQENAzPemUsAAAEH/06iF0BU8pMtdLJrxp/lLk3vg9QJCHajsd25gYtR8X1Px1Te
gWU0C4EwMh4seDIgK9bzFmjjlZOEgS9zEgia28xDgeluQjuuMyUFJ58MzRlC2ONC
foYIZsFyIqdjEOCBdfhH5bmgB5/+L5bjDK6lNdqD8OAhtC4Xnc1UxAKq3oUgVD/Z
d5UJXU2xm+f08WwGZIUcbGcaonRC/6Z/5o8YpLVBpcFeLtKW5WwGhEMxl9WDZ3Kb
NZH6bx15WiB2Q/gZQib3ZXhe1xEgRP+p6BnvF364I/To9kMduHpJKU97PH3dU7Mv
CXk2NG3rtOgLTEwLyvtBPqLnbx35E0JnZc0k5YkABRO0JU9wZW4gU3lzdGVtcyA8
b3BzeXNAb3Blbi1zeXN0ZW1zLm5ldD4=
=BBjp
-----END PGP PUBLIC KEY BLOCK-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.980623195803.3076A-100000>