Date: Fri, 22 Oct 2004 17:06:06 +0300 From: Peter Pentchev <roam@ringlet.net> To: Bill Moran <wmoran@potentialtech.com> Cc: Jesper Wallin <jesper@hackunite.net> Subject: Re: Default permissions of /home/user.. Message-ID: <20041022140606.GA1043@straylight.m.ringlet.net> In-Reply-To: <20041022095512.31d991ae.wmoran@potentialtech.com> References: <1323.213.112.198.199.1098388008.squirrel@mail.hackunite.net> <20041022095512.31d991ae.wmoran@potentialtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--PEIAKu/WMn1b1Hv9
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, Oct 22, 2004 at 09:55:12AM -0400, Bill Moran wrote:
> "Jesper Wallin" <jesper@hackunite.net> wrote:
>=20
> > Hello..
> >=20
> > I've asked this question before without getting any further help really=
=2E.
> > When a new user is added using "adduser" on 5.x (havn't really checked
> > if it's the same under 4.x or not), the default homedir permission is 7=
55
> > (drwxr-xr-x) which to me, looks a bit insecure? It's of course pretty e=
asy
> > to solve it by a simple chmod, but yet, isn't there anyway to change the
> > default chmod value? Last time I asked about this, people told me to ch=
eck
> > out the skel directory, but the only thing you can do in there is to ch=
ange the
> > default chmod value of the files/directories _in_ the homedir, not the =
chmod
> > values of the actually homedir.. I would be glad if someone could give =
me
> > further assistanse how do solve this without manually modifying the "ad=
duser"
> > script.. and if it this option doesn't exist, shouldn't it be added or =
is it just
> > me who want my homedir secure from other users? ;)
>=20
> The adduser script does not determine the permissions on the home directo=
yr.
> The pw command does that, adduser just calls pw.
>=20
> I don't know, but perhaps if you change the permissions on /usr/share/skel
> itself, the new directories created from it will have those permissions
> (I haven't tried this, so I could be wrong).
>=20
> pw doesn't seem to have an option to change the permissions on the home
> directory at creation time. Possibly an option could be added to adduser,
> that reads the desired permissions from adduser.conf and changes them
> after creation?
Here's something I did back in 2002 for just this purpose. It is for
the 4.x adduser Perl script only - I've never ported it to the 5.x
adduser shell script, since I've never actually *used* it ever since its
conception :)
Still, if it could be of some help to anyone, here it is.
G'luck,
Peter
Index: src/usr.sbin/adduser/adduser.perl
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/usr.sbin/adduser/adduser.perl,v
retrieving revision 1.44.2.4
diff -u -r1.44.2.4 adduser.perl
--- src/usr.sbin/adduser/adduser.perl 15 Feb 2002 17:31:15 -0000 1.44.2.4
+++ src/usr.sbin/adduser/adduser.perl 18 Feb 2002 14:12:46 -0000
@@ -41,6 +41,7 @@
$config_read =3D 1; # read config file
$logfile =3D "/var/log/adduser"; # logfile
$home =3D "/home"; # default HOME
+ $home_perm =3D "u+wrX,go-w"; # default permissions on HOME
$etc_shells =3D "/etc/shells";
$etc_passwd =3D "/etc/master.passwd";
$group =3D "/etc/group";
@@ -221,6 +222,33 @@
return 0;
}
=20
+# return the default permissions' string for HOME
+sub home_permissions {
+ local($perm) =3D @_;
+ local($p) =3D $perm;
+
+ return $p if !$verbose && $p eq &home_permissions_valid($p);
+
+ while(1) {
+ $p =3D &confirm_list("Enter your default HOME permissions:", 1, $perm, ""=
);
+ last if $p eq &home_permissions_valid($p);
+ }
+
+ $changes++ if $p ne $perm;
+ return $p;
+}
+
+# check for valid permissions
+sub home_permissions_valid {
+ local($perm) =3D @_;
+
+ if ($perm =3D~ /^((([ugo]+[+-][rwxX]+),?)+)/) {
+ return $1;
+ } else {
+ return "";
+ }
+}
+
# check for valid passwddb
sub passwd_check {
system(@pwd_mkdb, '-C', $etc_passwd);
@@ -953,7 +981,8 @@
if (!mkdir("$homedir", 0755)) {
warn "$dir: $!\n"; return 0;
}
- system 'chown', "$name:$group", $homedir;
+ system('chmod', $home_perm, $homedir);
+ system('chown', "$name:$group", $homedir);
return !$?;
}
=20
@@ -961,7 +990,7 @@
# rename 'dot.foo' files to '.foo'
print "Copy files from $dotdir to $homedir\n" if $verbose;
system('cp', '-R', $dotdir, $homedir);
- system('chmod', '-R', 'u+wrX,go-w', $homedir);
+ system('chmod', '-R', $home_perm, $homedir);
system('chown', '-Rh', "$name:$group", $homedir);
=20
# security
@@ -1365,6 +1394,9 @@
# default HOME directory ("/home")
home =3D "$home"
=20
+# default permissions on HOME ("u+wrX,go-w")
+home_perm =3D "$home_perm";
+
# List of directories where shells located
# path =3D ('/bin', '/usr/bin', '/usr/local/bin')
path =3D ($shpath)
@@ -1425,6 +1457,7 @@
&shells_add; # maybe add some new shells
$defaultshell =3D &shell_default; # enter default shell
$home =3D &home_partition($home); # find HOME partition
+$home_perm =3D &home_permissions($home_perm); # set HOME permissions
$dotdir =3D &dotdir_default; # check $dotdir
$send_message =3D &message_default; # send message to new user
$defaultpasswd =3D &password_default; # maybe use password
--=20
Peter Pentchev roam@ringlet.net roam@cnsys.bg roam@FreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
This sentence contradicts itself - or rather - well, no, actually it doesn'=
t!
--PEIAKu/WMn1b1Hv9
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)
iD8DBQFBeRPO7Ri2jRYZRVMRAuDJAJ4m26pCthmiU8ZrZi+XIDqe6NUPEwCeIliM
uXZGfJBPbLo4nWOOxgPcOhI=
=q5w0
-----END PGP SIGNATURE-----
--PEIAKu/WMn1b1Hv9--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041022140606.GA1043>