On 09-19 08:32, Chris Bennett wrote: > On Wed, Sep 19, 2018 at 04:14:47PM +0200, Solene Rapenne wrote: > > Chris Bennett <cpb_m...@bennettconstruction.us> wrote: > > > I have not opened up my server before for full usage of email, web, > > > database, etc. before. So I'm a total noob on really good security > > > practices. > > > > > > Proper owner:group all over the place. Not covered in hier (7). > > > > look at security(8), especially the mtree part > > > Thank you. I used it a few times but I never opened the files in > /etc/mtree. Very useful. Although that doesn't cover all of my > owner:group questions, I can see a little better now.
I have "umask 0077" set in my /etc/profile so that all users cannot by default see each others' files, unless they want to open them up. This is even though all the users are currently variations of myself with different security profiles. If I were a new user learning to use a system, especially a multiuser one, I would appreciate that default until I learned more. I have wondered if that would be a good systemwide default in new obsd installs (or the reasons not), but have also found that when root has that setting, I have to change it back to "umask 0022" for the duration of running pkg_add (which I do in a script), or some packages have problems. (Corrections welcome.)
