Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 23 Jun 1998 12:24:16 -0400 (EDT)
From:      Open Systems Networking <opsys@mail.webspan.net>
To:        freebsd-security@FreeBSD.ORG
Subject:   adduser chmod permissions
Message-ID:  <Pine.BSF.3.95.980623120946.4022C-200000@orion.webspan.net>

next in thread | raw e-mail | index | archive | help
  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

--0-1125508220-898619056=:4022
Content-Type: TEXT/PLAIN; charset=US-ASCII


I've sent this to a couple of people now.

This pertains to adduser on 3.0-current.
I havent checked on a 2.2x adduser.
I'm wondering what purpose if any the perms on "other" have in adduser.

adduser is set to o=-w. Why by default should adduser allow home
directories to be executable and read by "others". I mean if the default
policy of IPFW is to default to closed, and the admin has to choose to 
open up his server, shouldnt the default for adduser be to create home
dirs closed to "others" and the user has to open them up? Makes sense to
me anyway. I think having adduser have ANY perms on other brekas the man
page.

"UNIQUE GROUPS
     Perhaps you're missing what can be done with this scheme that falls
     apart with most other schemes.  With each user in his/her own group
     the user can safely run with a umask of 002 and have files created in
     their home directory and not worry about others being able to read
     them." 

To me that means give the user his own unique group name like user foo
group foo, and then perms on other should be ---, so that only user foo
can read,w,x files and group foo can read and execute files.
Thats how I read it anyway.

Unless there is some reason /home dir's need to be "rx" for "other" that I
can't seem to find.

I attached a patch to adduser to chmod o=-rwx. As I think it should be.

Chris

--
"Linux... The choice of a GNUtered generation."

===================================| Open Systems Networking And Consulting.
  FreeBSD 2.2.6 is available now!  | Phone: 316-326-6800
-----------------------------------| 1402 N. Washington, Wellington, KS-67152
   FreeBSD: The power to serve!    | E-Mail: opsys@open-systems.net
      http://www.freebsd.org       | Consulting-Network Engineering-Security
===================================| http://open-systems.net 

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2

mQENAzPemUsAAAEH/06iF0BU8pMtdLJrxp/lLk3vg9QJCHajsd25gYtR8X1Px1Te
gWU0C4EwMh4seDIgK9bzFmjjlZOEgS9zEgia28xDgeluQjuuMyUFJ58MzRlC2ONC
foYIZsFyIqdjEOCBdfhH5bmgB5/+L5bjDK6lNdqD8OAhtC4Xnc1UxAKq3oUgVD/Z
d5UJXU2xm+f08WwGZIUcbGcaonRC/6Z/5o8YpLVBpcFeLtKW5WwGhEMxl9WDZ3Kb
NZH6bx15WiB2Q/gZQib3ZXhe1xEgRP+p6BnvF364I/To9kMduHpJKU97PH3dU7Mv
CXk2NG3rtOgLTEwLyvtBPqLnbx35E0JnZc0k5YkABRO0JU9wZW4gU3lzdGVtcyA8
b3BzeXNAb3Blbi1zeXN0ZW1zLm5ldD4=
=BBjp
-----END PGP PUBLIC KEY BLOCK-----

--0-1125508220-898619056=:4022
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="adduser.diff"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.BSF.3.95.980623122416.4022D@orion.webspan.net>
Content-Description: adduser.diff patch

KioqIC91c3Ivc2Jpbi9hZGR1c2VyCVNhdCBKdW4gMTMgMTY6Mzk6NDcgMTk5
OA0KLS0tIGFkZHVzZXIJU2F0IEp1biAxMyAxNjozOToyNiAxOTk4DQoqKioq
KioqKioqKioqKioNCioqKiA5OTQsMTAwMCAqKioqDQogICAgICAjIHJlbmFt
ZSAnZG90LmZvbycgZmlsZXMgdG8gJy5mb28nDQogICAgICBwcmludCAiQ29w
eSBmaWxlcyBmcm9tICRkb3RkaXIgdG8gJGhvbWVkaXJcbiIgaWYgJHZlcmJv
c2U7DQogICAgICBzeXN0ZW0oImNwIC1SICRkb3RkaXIgJGhvbWVkaXIiKTsN
CiEgICAgIHN5c3RlbSgiY2htb2QgLVIgdSt3clgsZ28tdyAkaG9tZWRpciIp
Ow0KICAgICAgc3lzdGVtKCJjaG93biAtUiAkbmFtZTokZ3JvdXAgJGhvbWVk
aXIiKTsNCiAgDQogICAgICAjIHNlY3VyaXR5DQotLS0gOTk0LDEwMDAgLS0t
LQ0KICAgICAgIyByZW5hbWUgJ2RvdC5mb28nIGZpbGVzIHRvICcuZm9vJw0K
ICAgICAgcHJpbnQgIkNvcHkgZmlsZXMgZnJvbSAkZG90ZGlyIHRvICRob21l
ZGlyXG4iIGlmICR2ZXJib3NlOw0KICAgICAgc3lzdGVtKCJjcCAtUiAkZG90
ZGlyICRob21lZGlyIik7DQohICAgICBzeXN0ZW0oImNobW9kIC1SIHUrd3JY
LGctdyxvLXJ3eCAkaG9tZWRpciIpOw0KICAgICAgc3lzdGVtKCJjaG93biAt
UiAkbmFtZTokZ3JvdXAgJGhvbWVkaXIiKTsNCiAgDQogICAgICAjIHNlY3Vy
aXR5DQo=
--0-1125508220-898619056=:4022--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.980623120946.4022C-200000>