On 10 Nov 1998, Dale Lovelace writes:
> When the home directory is created with 700 permissions apache won't
> allow even a /~/public_html with 755 permissions to be read. As of
> now I am having to change all home directories created (50-100 per
> day for me) permissions by hand.
Absolute worst case, surely you could use a post-create script,
there's no need to do this repetitive task by hand :-) But I think
there is a better way than that ...
> This should have a setting in policies for permissions to create
> home directories with. Actually, the permissions you create the
> directory /etc/skel with should just carry over. If you want your
> home dirs to be 700, create /etc/skel as 700 etc.
I tend to agree (though there would be a potential problem if you
wanted the default perms to be world writable, you'd make /etc/skel
world-writable... and a lot of havoc could easily ensue!. But making
home dirs world writable by default would be pretty strange anyway...).
Anyway... guess what: the Linuxconf code hardwires the perms to 0755,
not 0700.
See user.cc:
/* #Specification: user creation / home directory
The HOME directory of a new user is created with
permission 0755. The content of the directory
/etc/skel is copied in the directory, respecting
the permission setting of /etc/skel. All file
copied will belong to the new user
*/
ret = file_mkdir (dir,uid,gid,0755,NULL);
if (ret == 0){
ret = file_copytree (ETC_SKEL,dir,uid,gid,-1);
}
However, under RH 5.x this code is not used at all, instead the RH
version of the useradd utility is called. Checking the source code
for useradd, it turns out that it does the relevant chmod() call using
a config variable called UMASK from /etc/login/defs. Its value is
xored with 0777 to make the home directory permissions bits. UMASK is
not present in the provided /etc/login.defs, so a hard coded default
of 077 is used, so the home dir perms are set to 0777 XOR 077 which is
0700.
I added the single line
UMASK 066
to /etyc/login.defs, and new home dirs thereafter get created 0711.
If you want them to be 0755, use
UMASK 022
but I think all apache needs is 0711 anyway?
WARNING: I have no real idea what other utilities use UMASK from
login.defs in what ways, and so will be affected by this configuration
change! It works here in minimalist testing, but it may not be
totally safe and secure. At least the following utilities may be
affected:
adduser
chpasswd
groupadd
newusers
pwconv
useradd
userdel
usermod
My guess is that this change is probably an OK one to make... but
there are no guarantees available :-) The configurability you are
seeking does appear to exist, but in the shadow-utils package, not in
Linuxconf itself.
Jonathan
--
Jonathan Marsden | Internet: [EMAIL PROTECTED] | Making electronic
1849 N. Wabash Ave.| Phone: +1 (909) 794 1151 | communications work
Redlands, CA 92374 | FAX: +1 (909) 794 3016 | reliably for Christian
USA | http://www.xc.org/jonathan | missions worldwide
---
You are currently subscribed to linuxconf as: [[email protected]]
To unsubscribe, forward this message to [EMAIL PROTECTED]
