From owner-freebsd-security Thu Sep 13 7:35: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (sentinel.office1.bg [217.75.135.254]) by hub.freebsd.org (Postfix) with SMTP id 4F5C937B401 for ; Thu, 13 Sep 2001 07:34:35 -0700 (PDT) Received: (qmail 20883 invoked by uid 1000); 13 Sep 2001 14:33:51 -0000 Date: Thu, 13 Sep 2001 17:33:51 +0300 From: Peter Pentchev To: Kenneth W Cochran Cc: Chip Norkus , freebsd-security@freebsd.org, freebsd-stable@freebsd.org Subject: Re: Default user directory (adduser) filemode Message-ID: <20010913173351.C13432@ringworld.oblivion.bg> Mail-Followup-To: Kenneth W Cochran , Chip Norkus , freebsd-security@freebsd.org, freebsd-stable@freebsd.org References: <200109131317.JAA25490@world.std.com> <20010913134223.B389613121@netcom1.netcom.com> <200109131413.KAA29159@world.std.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200109131413.KAA29159@world.std.com>; from kwc@world.std.com on Thu, Sep 13, 2001 at 10:13:52AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Sep 13, 2001 at 10:13:52AM -0400, Kenneth W Cochran wrote: > Sounds reasonable... But sysinstall --> UserAdd doesn't > use the adduser Perl script, but the pw command. > Just MHO, but I think the defaults are too "loose," not > well-documented, and not easily auditable. > > Should I file a PR, maybe? > > CC'ing to -security... For adduser(8), you could try a patch that I wrote up a couple of weeks ago; it's at http://people.FreeBSD.org/~roam/bsd/adduser-mode-RELENG_4.patch.gz For pw(8), however, things are more complicated - including the fact that pw(8) has no default configuration store. G'luck, Peter -- This sentence every third, but it still comprehensible. > >Date: Thu, 13 Sep 2001 09:56:22 -0400 > >From: Chip Norkus > >To: freebsd-stable@FreeBSD.ORG > >Subject: Re: Default user directory (adduser) filemode > > > >On Thu Sep 13, 2001; 06:42AM -0700 Mike Harding used 1.4K bytes > >of bandwidth to send the following: > >> 'adduser' is a perl script, search it for '755' and you will find > >> where the permissions are set, it's trivial to change in the source, > >> although logically this could be a configuration parameter. The > >> script is in /usr/sbin/adduser. > > > >Additionally, if you change your umask, mkdir(2) (which is what is used by > >adduser) will be restricted. So, if you want files created to be completely > >restricted from group/other access, you might do: > ># (umask 077;adduser) > >A more useful value (especially if you are supporting something like > >'public_html' in user directories) would be a umask of 066, or maybe even > >026. > > > >For more info see `man 2 umask` and `man chmod`. > > > >> - Mike H. > >> > >> Date: Thu, 13 Sep 2001 09:17:51 -0400 (EDT) > >> From: Kenneth W Cochran > >> Sender: owner-freebsd-stable@FreeBSD.ORG > >> List-ID: > >> List-Archive: (Web Archive) > >> List-Help: (List Instructions) > >> List-Subscribe: > >> List-Unsubscribe: > >> X-Loop: FreeBSD.ORG > >> Precedence: bulk > >> > >> Hello -stable: > >> > >> I notice that when I add a user to FreeBSD, either from adduser > >> or from /stand/sysinstall --> UserAdd(sp?), the default filemode > >> of the user's home directory is 755. So far, I can't find > >> (something like) a config-option for this (i.e., in > >> /etc/adduser.conf). Is this a bug or a feature(tm)? :) > >> > >> OS is -stable (RELENG_4), as of 8 September 2001. > >> > >> Thanks, > >> > >> -kc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message