From owner-freebsd-security@FreeBSD.ORG  Fri Oct 22 21:49:25 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EBC5116A4CE
	for <freebsd-security@freebsd.org>;
	Fri, 22 Oct 2004 21:49:25 +0000 (GMT)
Received: from straylight.ringlet.net (discworld.nanolink.com
	[217.75.135.134])
	by mx1.FreeBSD.org (Postfix) with SMTP id 5F71A43D46
	for <freebsd-security@freebsd.org>;
	Fri, 22 Oct 2004 21:49:22 +0000 (GMT)
	(envelope-from roam@ringlet.net)
Received: (qmail 18754 invoked by uid 1000); 22 Oct 2004 14:06:06 -0000
Date: Fri, 22 Oct 2004 17:06:06 +0300
From: Peter Pentchev <roam@ringlet.net>
To: Bill Moran <wmoran@potentialtech.com>
Message-ID: <20041022140606.GA1043@straylight.m.ringlet.net>
Mail-Followup-To: Bill Moran <wmoran@potentialtech.com>,
	Jesper Wallin <jesper@hackunite.net>, freebsd-security@freebsd.org
References: <1323.213.112.198.199.1098388008.squirrel@mail.hackunite.net>
	<20041022095512.31d991ae.wmoran@potentialtech.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="PEIAKu/WMn1b1Hv9"
Content-Disposition: inline
In-Reply-To: <20041022095512.31d991ae.wmoran@potentialtech.com>
User-Agent: Mutt/1.5.6i
cc: freebsd-security@freebsd.org
cc: Jesper Wallin <jesper@hackunite.net>
Subject: Re: Default permissions of /home/user..
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Oct 2004 21:49:26 -0000


--PEIAKu/WMn1b1Hv9
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Oct 22, 2004 at 09:55:12AM -0400, Bill Moran wrote:
> "Jesper Wallin" <jesper@hackunite.net> wrote:
>=20
> > Hello..
> >=20
> > I've asked this question before without getting any further help really=
=2E.
> > When a new user is added using "adduser" on 5.x (havn't really checked
> > if it's the same under 4.x or not), the default homedir permission is 7=
55
> > (drwxr-xr-x) which to me, looks a bit insecure? It's of course pretty e=
asy
> > to solve it by a simple chmod, but yet, isn't there anyway to change the
> > default chmod value? Last time I asked about this, people told me to ch=
eck
> > out the skel directory, but the only thing you can do in there is to ch=
ange the
> > default chmod value of the files/directories _in_ the homedir, not the =
chmod
> > values of the actually homedir.. I would be glad if someone could give =
me
> > further assistanse how do solve this without manually modifying the "ad=
duser"
> > script.. and if it this option doesn't exist, shouldn't it be added or =
is it just
> > me who want my homedir secure from other users? ;)
>=20
> The adduser script does not determine the permissions on the home directo=
yr.
> The pw command does that, adduser just calls pw.
>=20
> I don't know, but perhaps if you change the permissions on /usr/share/skel
> itself, the new directories created from it will have those permissions
> (I haven't tried this, so I could be wrong).
>=20
> pw doesn't seem to have an option to change the permissions on the home
> directory at creation time.  Possibly an option could be added to adduser,
> that reads the desired permissions from adduser.conf and changes them
> after creation?

Here's something I did back in 2002 for just this purpose.  It is for
the 4.x adduser Perl script only - I've never ported it to the 5.x
adduser shell script, since I've never actually *used* it ever since its
conception :)

Still, if it could be of some help to anyone, here it is.

G'luck,
Peter

Index: src/usr.sbin/adduser/adduser.perl
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/usr.sbin/adduser/adduser.perl,v
retrieving revision 1.44.2.4
diff -u -r1.44.2.4 adduser.perl
--- src/usr.sbin/adduser/adduser.perl	15 Feb 2002 17:31:15 -0000	1.44.2.4
+++ src/usr.sbin/adduser/adduser.perl	18 Feb 2002 14:12:46 -0000
@@ -41,6 +41,7 @@
     $config_read =3D 1;		# read config file
     $logfile =3D "/var/log/adduser"; # logfile
     $home =3D "/home";		# default HOME
+    $home_perm =3D "u+wrX,go-w";	# default permissions on HOME
     $etc_shells =3D "/etc/shells";
     $etc_passwd =3D "/etc/master.passwd";
     $group =3D "/etc/group";
@@ -221,6 +222,33 @@
     return 0;
 }
=20
+# return the default permissions' string for HOME
+sub home_permissions {
+    local($perm) =3D @_;
+    local($p) =3D $perm;
+
+    return $p if !$verbose && $p eq &home_permissions_valid($p);
+
+    while(1) {
+	$p =3D &confirm_list("Enter your default HOME permissions:", 1, $perm, ""=
);
+	last if $p eq &home_permissions_valid($p);
+    }
+
+    $changes++ if $p ne $perm;
+    return $p;
+}
+
+# check for valid permissions
+sub home_permissions_valid {
+    local($perm) =3D @_;
+
+    if ($perm =3D~ /^((([ugo]+[+-][rwxX]+),?)+)/) {
+	return $1;
+    } else {
+	return "";
+    }
+}
+
 # check for valid passwddb
 sub passwd_check {
     system(@pwd_mkdb, '-C', $etc_passwd);
@@ -953,7 +981,8 @@
 	if (!mkdir("$homedir", 0755)) {
 	    warn "$dir: $!\n"; return 0;
 	}
-	system 'chown', "$name:$group", $homedir;
+	system('chmod', $home_perm, $homedir);
+	system('chown', "$name:$group", $homedir);
 	return !$?;
     }
=20
@@ -961,7 +990,7 @@
     # rename 'dot.foo' files to '.foo'
     print "Copy files from $dotdir to $homedir\n" if $verbose;
     system('cp', '-R', $dotdir, $homedir);
-    system('chmod', '-R', 'u+wrX,go-w', $homedir);
+    system('chmod', '-R', $home_perm, $homedir);
     system('chown', '-Rh', "$name:$group", $homedir);
=20
     # security
@@ -1365,6 +1394,9 @@
 # default HOME directory ("/home")
 home =3D "$home"
=20
+# default permissions on HOME ("u+wrX,go-w")
+home_perm =3D "$home_perm";
+
 # List of directories where shells located
 # path =3D ('/bin', '/usr/bin', '/usr/local/bin')
 path =3D ($shpath)
@@ -1425,6 +1457,7 @@
 &shells_add;			# maybe add some new shells
 $defaultshell =3D &shell_default;	# enter default shell
 $home =3D &home_partition($home);	# find HOME partition
+$home_perm =3D &home_permissions($home_perm); # set HOME permissions
 $dotdir =3D &dotdir_default;	# check $dotdir
 $send_message =3D &message_default;   # send message to new user
 $defaultpasswd =3D &password_default; # maybe use password

--=20
Peter Pentchev	roam@ringlet.net    roam@cnsys.bg    roam@FreeBSD.org
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
This sentence contradicts itself - or rather - well, no, actually it doesn'=
t!

--PEIAKu/WMn1b1Hv9
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFBeRPO7Ri2jRYZRVMRAuDJAJ4m26pCthmiU8ZrZi+XIDqe6NUPEwCeIliM
uXZGfJBPbLo4nWOOxgPcOhI=
=q5w0
-----END PGP SIGNATURE-----

--PEIAKu/WMn1b1Hv9--