Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 13 Sep 2001 17:33:51 +0300
From:      Peter Pentchev <roam@ringlet.net>
To:        Kenneth W Cochran <kwc@world.std.com>
Cc:        Chip Norkus <wd@arpa.com>, freebsd-security@freebsd.org, freebsd-stable@freebsd.org
Subject:   Re: Default user directory (adduser) filemode
Message-ID:  <20010913173351.C13432@ringworld.oblivion.bg>
In-Reply-To: <200109131413.KAA29159@world.std.com>; from kwc@world.std.com on Thu, Sep 13, 2001 at 10:13:52AM -0400
References:  <200109131317.JAA25490@world.std.com> <20010913134223.B389613121@netcom1.netcom.com> <200109131413.KAA29159@world.std.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Sep 13, 2001 at 10:13:52AM -0400, Kenneth W Cochran wrote:
> Sounds reasonable...  But sysinstall --> UserAdd doesn't
> use the adduser Perl script, but the pw command.
> Just MHO, but I think the defaults are too "loose," not
> well-documented, and not easily auditable.
> 
> Should I file a PR, maybe?
> 
> CC'ing to -security...

For adduser(8), you could try a patch that I wrote up a couple of weeks
ago; it's at http://people.FreeBSD.org/~roam/bsd/adduser-mode-RELENG_4.patch.gz
For pw(8), however, things are more complicated - including the fact that
pw(8) has no default configuration store.

G'luck,
Peter

-- 
This sentence every third, but it still comprehensible.

> >Date: Thu, 13 Sep 2001 09:56:22 -0400
> >From: Chip Norkus <wd@arpa.com>
> >To: freebsd-stable@FreeBSD.ORG
> >Subject: Re: Default user directory (adduser) filemode
> >
> >On Thu Sep 13, 2001; 06:42AM -0700 Mike Harding used 1.4K bytes
> >of bandwidth to send the following:
> >> 'adduser' is a perl script, search it for '755' and you will find
> >> where the permissions are set, it's trivial to change in the source,
> >> although logically this could be a configuration parameter.  The
> >> script is in /usr/sbin/adduser.
> >
> >Additionally, if you change your umask, mkdir(2) (which is what is used by
> >adduser) will be restricted.  So, if you want files created to be completely
> >restricted from group/other access, you might do:
> ># (umask 077;adduser)
> >A more useful value (especially if you are supporting something like
> >'public_html' in user directories) would be a umask of 066, or maybe even
> >026.
> >
> >For more info see `man 2 umask` and `man chmod`.
> >
> >> - Mike H.
> >> 
> >>    Date: Thu, 13 Sep 2001 09:17:51 -0400 (EDT)
> >>    From: Kenneth W Cochran <kwc@world.std.com>
> >>    Sender: owner-freebsd-stable@FreeBSD.ORG
> >>    List-ID: <freebsd-stable.FreeBSD.ORG>
> >>    List-Archive: <http://docs.freebsd.org/mail/>; (Web Archive)
> >>    List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
> >>    List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
> >>    List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
> >>    X-Loop: FreeBSD.ORG
> >>    Precedence: bulk
> >> 
> >>    Hello -stable:
> >> 
> >>    I notice that when I add a user to FreeBSD, either from adduser
> >>    or from /stand/sysinstall --> UserAdd(sp?), the default filemode
> >>    of the user's home directory is 755.  So far, I can't find
> >>    (something like) a config-option for this (i.e., in
> >>    /etc/adduser.conf).  Is this a bug or a feature(tm)?  :)
> >> 
> >>    OS is -stable (RELENG_4), as of 8 September 2001.
> >> 
> >>    Thanks,
> >> 
> >>    -kc

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010913173351.C13432>