From owner-freebsd-security Tue Jun 23 09:24:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA12860 for freebsd-security-outgoing; Tue, 23 Jun 1998 09:24:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.webspan.net (root@mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA12842 for ; Tue, 23 Jun 1998 09:24:19 -0700 (PDT) (envelope-from opsys@mail.webspan.net) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with SMTP id MAA19313 for ; Tue, 23 Jun 1998 12:18:10 -0400 (EDT) Date: Tue, 23 Jun 1998 12:24:16 -0400 (EDT) From: Open Systems Networking X-Sender: opsys@orion.webspan.net To: freebsd-security@FreeBSD.ORG Subject: adduser chmod permissions Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1125508220-898619056=:4022" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-1125508220-898619056=:4022 Content-Type: TEXT/PLAIN; charset=US-ASCII I've sent this to a couple of people now. This pertains to adduser on 3.0-current. I havent checked on a 2.2x adduser. I'm wondering what purpose if any the perms on "other" have in adduser. adduser is set to o=-w. Why by default should adduser allow home directories to be executable and read by "others". I mean if the default policy of IPFW is to default to closed, and the admin has to choose to open up his server, shouldnt the default for adduser be to create home dirs closed to "others" and the user has to open them up? Makes sense to me anyway. I think having adduser have ANY perms on other brekas the man page. "UNIQUE GROUPS Perhaps you're missing what can be done with this scheme that falls apart with most other schemes. With each user in his/her own group the user can safely run with a umask of 002 and have files created in their home directory and not worry about others being able to read them." To me that means give the user his own unique group name like user foo group foo, and then perms on other should be ---, so that only user foo can read,w,x files and group foo can read and execute files. Thats how I read it anyway. Unless there is some reason /home dir's need to be "rx" for "other" that I can't seem to find. I attached a patch to adduser to chmod o=-rwx. As I think it should be. Chris -- "Linux... The choice of a GNUtered generation." ===================================| Open Systems Networking And Consulting. FreeBSD 2.2.6 is available now! | Phone: 316-326-6800 -----------------------------------| 1402 N. Washington, Wellington, KS-67152 FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net http://www.freebsd.org | Consulting-Network Engineering-Security ===================================| http://open-systems.net -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzPemUsAAAEH/06iF0BU8pMtdLJrxp/lLk3vg9QJCHajsd25gYtR8X1Px1Te gWU0C4EwMh4seDIgK9bzFmjjlZOEgS9zEgia28xDgeluQjuuMyUFJ58MzRlC2ONC foYIZsFyIqdjEOCBdfhH5bmgB5/+L5bjDK6lNdqD8OAhtC4Xnc1UxAKq3oUgVD/Z d5UJXU2xm+f08WwGZIUcbGcaonRC/6Z/5o8YpLVBpcFeLtKW5WwGhEMxl9WDZ3Kb NZH6bx15WiB2Q/gZQib3ZXhe1xEgRP+p6BnvF364I/To9kMduHpJKU97PH3dU7Mv CXk2NG3rtOgLTEwLyvtBPqLnbx35E0JnZc0k5YkABRO0JU9wZW4gU3lzdGVtcyA8 b3BzeXNAb3Blbi1zeXN0ZW1zLm5ldD4= =BBjp -----END PGP PUBLIC KEY BLOCK----- --0-1125508220-898619056=:4022 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="adduser.diff" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: adduser.diff patch KioqIC91c3Ivc2Jpbi9hZGR1c2VyCVNhdCBKdW4gMTMgMTY6Mzk6NDcgMTk5 OA0KLS0tIGFkZHVzZXIJU2F0IEp1biAxMyAxNjozOToyNiAxOTk4DQoqKioq KioqKioqKioqKioNCioqKiA5OTQsMTAwMCAqKioqDQogICAgICAjIHJlbmFt ZSAnZG90LmZvbycgZmlsZXMgdG8gJy5mb28nDQogICAgICBwcmludCAiQ29w eSBmaWxlcyBmcm9tICRkb3RkaXIgdG8gJGhvbWVkaXJcbiIgaWYgJHZlcmJv c2U7DQogICAgICBzeXN0ZW0oImNwIC1SICRkb3RkaXIgJGhvbWVkaXIiKTsN CiEgICAgIHN5c3RlbSgiY2htb2QgLVIgdSt3clgsZ28tdyAkaG9tZWRpciIp Ow0KICAgICAgc3lzdGVtKCJjaG93biAtUiAkbmFtZTokZ3JvdXAgJGhvbWVk aXIiKTsNCiAgDQogICAgICAjIHNlY3VyaXR5DQotLS0gOTk0LDEwMDAgLS0t LQ0KICAgICAgIyByZW5hbWUgJ2RvdC5mb28nIGZpbGVzIHRvICcuZm9vJw0K ICAgICAgcHJpbnQgIkNvcHkgZmlsZXMgZnJvbSAkZG90ZGlyIHRvICRob21l ZGlyXG4iIGlmICR2ZXJib3NlOw0KICAgICAgc3lzdGVtKCJjcCAtUiAkZG90 ZGlyICRob21lZGlyIik7DQohICAgICBzeXN0ZW0oImNobW9kIC1SIHUrd3JY LGctdyxvLXJ3eCAkaG9tZWRpciIpOw0KICAgICAgc3lzdGVtKCJjaG93biAt UiAkbmFtZTokZ3JvdXAgJGhvbWVkaXIiKTsNCiAgDQogICAgICAjIHNlY3Vy aXR5DQo= --0-1125508220-898619056=:4022-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message