On Wed, 13 Jun 2001 16:40:56 +0200, "Auke van der Gaast" <[EMAIL PROTECTED]> wrote:
> I'm trying to restrict users' access to only their home dir > (I don't want them to be able to see or reach / or even /home ) > I've already wasted half a day on just that, I'd really appreciate > it if anyone could tell me what to do. I'd hate to see this thread to die without chucking my 2p into the pot (this is just for fun, OK ?) : what Auke asks is a perfectly *reasonable* thing, but (as other posters have pointed out) unfortunately not generally considered a good idea on Unix. Auke's suggestion is in perfect accord with the generally accepted best practice security stance : whatever has not been explicitly allowed should be implicitly denied. It's a variation of security through obscurity, and as such is usually deemed as being of little absolute value by security geeks because a determined & competent attacker will not be slowed much by it ... but it still helps. My personal opinion is that the multiple users of a system should never be able to even detect the existence of what each other has (never mind see the content) unless the owner has granted that permission. And they shouldn't be able to *list* the contents of system software areas at all, even if they're allowed to *execute* them. However, in my experience the only systems that actually deliver that possibility have been the mainframe operating systems I used to work on. All Unixen I've seen (not to mention Windows NT & family) have not only defaulted to a very open stance (indeed said to date from Unix's development by geeks for geeks in a nice safe lab environment where you want everyone to see your stuff easily) but (as [EMAIL PROTECTED] pointed out) also actually *break* if you try to remove apparently unnecessary access from system objects. The security model of Unix (and NT) is just too primitive (no offence to anyone intended) to support the Right Thing. ACLs do improve the ballgame a lot, for those Un*xen that provide them, but the bare-bones Unix permissions system is very difficult to lock down. Sigh. Actually, thinking about it, IIRC even VMS seems to default to "all-objects-world-readable", out-of-the-box. Some comments on other posters' words: [EMAIL PROTECTED] said : >> consider again. *why* do you want to do this? > > Sounds like a serious trust, or lack of, problem... ;-) Yes - that's it - in the business world anyway. > The users should be educated on what they can and can't do. Hopeless goal, unless you've only got your friends to worry about. > This is going to an extreme. Not really - it's not a big deal, but *is* the Right Thing to do. [EMAIL PROTECTED] said : > Even outside of the Open Source/Free Software circles, > *nix culture has, IMO, always seemed very oriented towards > sharing and collaboration. It seems natural to me, then, > that home directories would traditionally have permissions > set such that their contents can be shared and collaborated > upon. In an ideal world, yes. My comments are aimed at the grim reality of administering the typical production system in the commercial world. > ... in general, users need to see other directories, like > /bin and /etc. There are some convoluted ways to do what > you want, but you have to decide for yourself whether tiny > gain in security is worth the significant effort and deep > understanding needed to do it. For Un*x (and NT) systems I agree with you. Other OS's *can* deliver such protection without any difficulty. [EMAIL PROTECTED] said : > Why do you wish to do that? Have you some specifically > top-secret system you're trying to run? Never, not > even on commercial shell servers, have I seen such a > setup. ... I've seen this many times, but only on "proper" operating systems ... er, I mean old dinosaur mainframes :-) > ... It's just not the way things are done in Unix. Agreed. [EMAIL PROTECTED] said : > if you're just trying to make your box more secure > what you're trying to do won't help much. Agreed - but it helps a bit. If a Black Hat breaks into a normal user account on a Un*x, typically their first action is to trawl the whole filesystem looking for suid root / sgid something binaries to abuse - they shouldn't be able to do that - they should have to know/guess whether they exist, and where they are - then we move the binaries to a non-standard location ... ok, ok, the binaries shouldn't be breakable in the first place ... What Auke needs is Big Iron, in a large room with a huge electricity supply and lots of cooling :-) [ Don't get me wrong - I like Unix - I even use it at home ... ] Cheers, Nick Boyce (Chief Luddite) Bristol, UK -- "A *real* smart bomb would call in sick, perhaps move to another country, changing its name in the process, open a beach bar maybe and live out its days in safe anonymity." -- Barry O'Neill in rhod