From owner-freebsd-security  Fri Sep  8 14:50:12 2000
Delivered-To: freebsd-security@freebsd.org
Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6])
	by hub.freebsd.org (Postfix) with SMTP id D1AFC37B506
	for <freebsd-security@FreeBSD.ORG>; Fri,  8 Sep 2000 14:50:07 -0700 (PDT)
Received: (qmail 36206 invoked by uid 1000); 8 Sep 2000 21:50:07 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 8 Sep 2000 21:50:07 -0000
Date: Fri, 8 Sep 2000 17:50:06 -0400 (EDT)
From: Matt Heckaman <matt@ARPA.MAIL.NET>
X-Sender: matt@epsilon.lucida.qc.ca
To: Alan Batie <alan@batie.org>
Cc: "Jonathan M. Slivko" <jslivko@coresync.net>,
	freebsd-security@FreeBSD.ORG
Subject: Re: Home Directories -- in the point of security?
In-Reply-To: <20000908144513.I4603@agora.rdrop.com>
Message-ID: <Pine.BSF.4.21.0009081748360.36196-100000@epsilon.lucida.qc.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Rating: localhost 1.6.2 0/1000/N
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 8 Sep 2000, Alan Batie wrote:
...
: Until someone leaves their .profile or .cshrc file writeable accidentally
: because they don't understand unix permissions or are tricked into it.
: Or someone guesses a file name.  Or many other scenarios.  The answer
: I chose is to put the web directory somewhere else (/home/web/<user>),
: reconfigure the web server and leave the user directories 700.

Exactly. That is why the umask is 027 (set by /etc/loginc.conf) So, for a
user to get unsafe permissions, they would have to go out of their way and
set the permission. There are no defaults that leave a file vulnerable to
the above with that setup. Since for it to fail, it depends on the user
manually modifying the file permissions. At that point, I step back since
they could just as easily do chmod 777 /usr/home/$user. :)

: -- 
: Alan Batie                   ______    www.rdrop.com/users/alan      Me
: alan@batie.org               \    /    www.qrd.org         The Triangle
: PGPFP DE 3C 29 17 C0 49 7A    \  /     www.pgpi.com   The Weird Numbers
: 27 40 A5 3C 37 4A DA 52 B9     \/      www.anti-spam.net       NO SPAM!

* Matt Heckaman   - mailto:matt@lucida.qc.ca  http://www.lucida.qc.ca/ *
* GPG fingerprint - A9BC F3A8 278E 22F2 9BDA  BFCF 74C3 2D31 C035 5390 *

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.2 (FreeBSD)
Comment: http://www.lucida.qc.ca/pgp

iD8DBQE5uV8PdMMtMcA1U5ARAnWGAJ9+mBkTQdlm19aO9Opj0LJGRb8zLwCg43in
vV/GdnGRMfN00sAWVShk7WQ=
=7r9D
-----END PGP SIGNATURE-----




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message