-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > at all. I went into DrakConf and set the security level to "high" and > > this fixed the horrific insecurity of the default setup, but it also > > unfortunately fired up shorewall with settings that prevented me from > > being able to access the system remotely
I see...but is it really a good idea to permit execute perms to any and sundry? I used to think that if there were a linux virus/worm to be concerned about that the worst that could happen under normal circumstances is that a user who received and executed a viral script would possibly trash his own home and that's it. Now I see that this is not accurate...ALL users could trash their homes by executing a bad script/executable in ANY infected user's home. The default setup makes this possible...and most <new> users wont bother (or think to bother) to change home perms. praedor On Monday 30 June 2003 01:10 pm, Vincent Danen wrote: > On Mon Jun 30, 2003 at 12:46:00PM -0500, Praedor Atrebates wrote: > > > > For the first time I added a couple more users to my home system. Up > > > > 'til now I was the only user. I found that the default > > > > behavior/security (not) setting allowed all users to access all other > > > > user's home directories. No limits! What is this?! That is the > > > > same as no security > > > > [...] > > > > > 1) Mandrake Control Center > > > 2) Security > > > 3) Security Permissions > > > 4) Choose "editable" from the drop down box > > > 5) Add /home/* with the permissions you want. > > > > > > Next time msec runs, it will reset the permissions on the /home/* > > > directories. And you won't need the higher security level (with > > > shorewall). > > > > Danka. This nonetheless begs the question...why should this even be > > necessary? By this I mean why should it be necessary to actively alter > > default settings so that all users don't have access to each other's home > > dirs? I am not really faulting Mandrake here (unless their defaut > > settings and perms are more lenient than other distro defaults. To my > > thinking, the default should never be to permit even read access to > > another's home. There's no call for that unless some <idiot> user decides > > to give other people access to his/her home dir. This accessibility > > should be a no-no by default regardless of distro. > > This was done, IIRC, to allow people to have a ~/public_html/ directory and > allow apache to enter the home directory so as to read ~/public_html/ > (which would allow someone to do something like > http://yoursite.com/~preador/). That's pretty much the reasoning for it > IIRC. That being said, there is nothing stopping you from doing a higher > security level or modifying the defaults. > > I also believe that a user can enter another user's home dir but will get a > permission denied if they do an ls. Other permissions protect the files in > the homedir. The homedir should have execute-only perms. But, taking a > quick look, it seems that is not the case. Hmmmm. > > That does kind of suck. msec used to do execute-only perms on homedirs... > I wonder why it decided that read/execute perms was an ok thing to do. > > I'll see if I can't find out. - -- Not a single 9/11 terrorist came from Iraq, nor did a single one train in Iraq. Iraq had NOTHING to do with 9/11. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/AIukaKr9sJYeTxgRAsBHAJ9aLht9HHva/j9kNjSLZfUERpsBLwCdGx8h UoXf6OhcLfjX828l4QnSjSA= =1cdd -----END PGP SIGNATURE-----
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
