From owner-freebsd-questions@FreeBSD.ORG Sun Oct 26 16:22:42 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6DF381065672 for ; Sun, 26 Oct 2008 16:22:42 +0000 (UTC) (envelope-from dick@nagual.nl) Received: from nagual.nl (cc20684-a.assen1.dr.home.nl [82.74.10.158]) by mx1.freebsd.org (Postfix) with ESMTP id 04CA28FC16 for ; Sun, 26 Oct 2008 16:22:41 +0000 (UTC) (envelope-from dick@nagual.nl) Received: from westmark (westmark.nagual.nl [192.168.11.22]) by nagual.nl (8.13.8+Sun/8.13.8/yanta) with SMTP id m9QG2BIE013141 for ; Sun, 26 Oct 2008 17:02:11 +0100 (CET) Date: Sun, 26 Oct 2008 16:58:48 +0100 From: dick hoogendijk To: freebsd-questions@freebsd.org Message-Id: <20081026165848.f720da24.dick@nagual.nl> In-Reply-To: <20081026131450.GA82837@slackbox.xs4all.nl> References: <20081026085332.GA97254@slackbox.xs4all.nl> <20081026131450.GA82837@slackbox.xs4all.nl> Organization: de nagual X-Mailer: Sylpheed 2.5.0 (GTK+ 2.14.1; i386-pc-solaris2.11) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.63 on 192.168.11.35 Subject: Re: restrict FreeBSD users to their home directory X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Oct 2008 16:22:42 -0000 On Sun, 26 Oct 2008 14:14:50 +0100 Roland Smith wrote: > On Sun, Oct 26, 2008 at 08:19:51PM +0800, joeb wrote: > > >> > I don't want them to be able see any system directories or other > >> > users? > >> > >> User directories are by default both owned by the user and belong > >> to the user's group. So you can set the umask for every user so > >> that their files are not accessible to others. > >> > >> You cannot block read and execute access to a lot of system files > >> (binaries, libraries, /usr/[local/]share/) without making the > >> system useless. > >> > >> What is the problem you're trying to solve? Blocking read access to > >> system files is almost certainly the wrong solution. > >> > > Want to keep all the users from being able to see anything outside > > of their home directory using gnome or kde desktop. > > I ask again, why? The only thing I can imagine is that he is worried about the privacy of other users files. If that is the case a chmod 700 on the directories and a chmod 600 on the (user) files would give a little privacy for others. It's very difficult to see each others files that way. As you already stated: system files are a totally different story. Users should not have to worry about them. > Realize that if the users have physical access to the machine, these > security measures are _useless_. A hostile user could take out the > harddisk, put it in a machine where he has a root account and read all > the disk's contents (unless it's encrypted). You're right here but I get the feeling this is beside the point of the OP question. ;-) -- Dick Hoogendijk -- PGP/GnuPG key: 01D2433D ++ http://nagual.nl/ + SunOS sxce snv99 ++