On Mon Jun 30, 2003 at 12:46:00PM -0500, Praedor Atrebates wrote: > > > For the first time I added a couple more users to my home system. Up > > > 'til now I was the only user. I found that the default behavior/security > > > (not) setting allowed all users to access all other user's home > > > directories. No limits! What is this?! That is the same as no security > [...] > > 1) Mandrake Control Center > > 2) Security > > 3) Security Permissions > > 4) Choose "editable" from the drop down box > > 5) Add /home/* with the permissions you want. > > > > Next time msec runs, it will reset the permissions on the /home/* > > directories. And you won't need the higher security level (with > > shorewall). > > Danka. This nonetheless begs the question...why should this even be > necessary? By this I mean why should it be necessary to actively alter > default settings so that all users don't have access to each other's home > dirs? I am not really faulting Mandrake here (unless their defaut settings > and perms are more lenient than other distro defaults. To my thinking, the > default should never be to permit even read access to another's home. > There's no call for that unless some <idiot> user decides to give other > people access to his/her home dir. This accessibility should be a no-no by > default regardless of distro.
This was done, IIRC, to allow people to have a ~/public_html/ directory and allow apache to enter the home directory so as to read ~/public_html/ (which would allow someone to do something like http://yoursite.com/~preador/). That's pretty much the reasoning for it IIRC. That being said, there is nothing stopping you from doing a higher security level or modifying the defaults. I also believe that a user can enter another user's home dir but will get a permission denied if they do an ls. Other permissions protect the files in the homedir. The homedir should have execute-only perms. But, taking a quick look, it seems that is not the case. Hmmmm. That does kind of suck. msec used to do execute-only perms on homedirs... I wonder why it decided that read/execute perms was an ok thing to do. I'll see if I can't find out. -- MandrakeSoft Security; http://www.mandrakesecure.net/ Online Security Resource Book; http://linsec.ca/ "lynx -source http://linsec.ca/vdanen.asc | gpg --import" {FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
pgp00000.pgp
Description: PGP signature