On Fri, 28 Mar 2008, Ashley Snelgrove wrote: > Hi Greg, > > Thanks for the reply! > > So I guess I was going in the right direction. I'd been playing with > chmod and chown but not chgrp. Where I'm at now, I've removed 'other'
You might also look creating new groups in /etc/group and adding users to them. This should be edited with a plain text editor like vi, as root. > permission on all home directories but one thing I tried was to even > remove other permissions on the /home directory thinking that the user > would still be able to see the subdirectory owned by them but when I log > in as the user I get a message saying The unix lingo is "directory" and "subdirectory". I have taken the liberty of editing this email to remove the other word, the f-word. > 'Could not chdir to home directory /home/user: Permission denied' You need to think why user "user" needs to be able to read /home. (A directory is a file, it contains the names and "inodes" of other directories.) > It doesn't really matter because I just set everything inside of the > home directory to chmod 750 and that seems to work fine for keeping the > user out of other user's directories. > > Are there any root directories that I should as a best practice restrict > access to? like configuration files, etc. Some directories I would think > need to be accessible to access libraries and such but others would > only need to be accessible by root or the system. Keep the permissions and ownerships at default, if this is an OpenBSD system. They are as they should be. Someone has already thought it out, very thoroughly. Changing permissions because of an intuition about what some user should or shouldn't see is a common way of breaking the system. (As you discovered by intuiting about what permissions /home should have.) (A quick way to wreck a Unix system is to change the permissions of /etc/passwd to deny "other" read access. Turns out that read access is harmless -- no password information is stored there any longer, and the information in there is needed by the typical user, and by many programs run by users. (Like sending email to another user.) There is no "system" user per se. There is a privileged user, called "root" and *all other users*. Many interesting things are run or owned by other users. As Bulk Mail said, unix security is rather coarse-grained. (The old VMS system had, in essence, 32 different kinds of privilege, not just 1.) As for configuration files, read the relevant man pages. Usually configuration files should not be "secret", but shouldn't be writable by "other". Generally, if you use ports/packages to add programs, the default or stub configuration files will be installed with the proper permissions. Dave _______________________________________________ Openbsd-newbies mailing list [email protected] http://mailman.theapt.org/listinfo/openbsd-newbies
