Date: Tue, 23 Jun 1998 12:24:16 -0400 (EDT) From: Open Systems Networking <opsys@mail.webspan.net> To: freebsd-security@FreeBSD.ORG Subject: adduser chmod permissions Message-ID: <Pine.BSF.3.95.980623120946.4022C-200000@orion.webspan.net>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
I've sent this to a couple of people now.
This pertains to adduser on 3.0-current.
I havent checked on a 2.2x adduser.
I'm wondering what purpose if any the perms on "other" have in adduser.
adduser is set to o=-w. Why by default should adduser allow home
directories to be executable and read by "others". I mean if the default
policy of IPFW is to default to closed, and the admin has to choose to
open up his server, shouldnt the default for adduser be to create home
dirs closed to "others" and the user has to open them up? Makes sense to
me anyway. I think having adduser have ANY perms on other brekas the man
page.
"UNIQUE GROUPS
Perhaps you're missing what can be done with this scheme that falls
apart with most other schemes. With each user in his/her own group
the user can safely run with a umask of 002 and have files created in
their home directory and not worry about others being able to read
them."
To me that means give the user his own unique group name like user foo
group foo, and then perms on other should be ---, so that only user foo
can read,w,x files and group foo can read and execute files.
Thats how I read it anyway.
Unless there is some reason /home dir's need to be "rx" for "other" that I
can't seem to find.
I attached a patch to adduser to chmod o=-rwx. As I think it should be.
Chris
--
"Linux... The choice of a GNUtered generation."
===================================| Open Systems Networking And Consulting.
FreeBSD 2.2.6 is available now! | Phone: 316-326-6800
-----------------------------------| 1402 N. Washington, Wellington, KS-67152
FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net
http://www.freebsd.org | Consulting-Network Engineering-Security
===================================| http://open-systems.net
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2
mQENAzPemUsAAAEH/06iF0BU8pMtdLJrxp/lLk3vg9QJCHajsd25gYtR8X1Px1Te
gWU0C4EwMh4seDIgK9bzFmjjlZOEgS9zEgia28xDgeluQjuuMyUFJ58MzRlC2ONC
foYIZsFyIqdjEOCBdfhH5bmgB5/+L5bjDK6lNdqD8OAhtC4Xnc1UxAKq3oUgVD/Z
d5UJXU2xm+f08WwGZIUcbGcaonRC/6Z/5o8YpLVBpcFeLtKW5WwGhEMxl9WDZ3Kb
NZH6bx15WiB2Q/gZQib3ZXhe1xEgRP+p6BnvF364I/To9kMduHpJKU97PH3dU7Mv
CXk2NG3rtOgLTEwLyvtBPqLnbx35E0JnZc0k5YkABRO0JU9wZW4gU3lzdGVtcyA8
b3BzeXNAb3Blbi1zeXN0ZW1zLm5ldD4=
=BBjp
-----END PGP PUBLIC KEY BLOCK-----
[-- Attachment #2 --]
*** /usr/sbin/adduser Sat Jun 13 16:39:47 1998
--- adduser Sat Jun 13 16:39:26 1998
***************
*** 994,1000 ****
# rename 'dot.foo' files to '.foo'
print "Copy files from $dotdir to $homedir\n" if $verbose;
system("cp -R $dotdir $homedir");
! system("chmod -R u+wrX,go-w $homedir");
system("chown -R $name:$group $homedir");
# security
--- 994,1000 ----
# rename 'dot.foo' files to '.foo'
print "Copy files from $dotdir to $homedir\n" if $verbose;
system("cp -R $dotdir $homedir");
! system("chmod -R u+wrX,g-w,o-rwx $homedir");
system("chown -R $name:$group $homedir");
# security
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.980623120946.4022C-200000>