Default permissions of /home/user..

Peter Pentchev roam at ringlet.net
Fri Oct 22 14:49:26 PDT 2004 

On Fri, Oct 22, 2004 at 09:55:12AM -0400, Bill Moran wrote:
> "Jesper Wallin" <jesper at hackunite.net> wrote:
> 
> > Hello..
> > 
> > I've asked this question before without getting any further help really..
> > When a new user is added using "adduser" on 5.x (havn't really checked
> > if it's the same under 4.x or not), the default homedir permission is 755
> > (drwxr-xr-x) which to me, looks a bit insecure? It's of course pretty easy
> > to solve it by a simple chmod, but yet, isn't there anyway to change the
> > default chmod value? Last time I asked about this, people told me to check
> > out the skel directory, but the only thing you can do in there is to change the
> > default chmod value of the files/directories _in_ the homedir, not the chmod
> > values of the actually homedir.. I would be glad if someone could give me
> > further assistanse how do solve this without manually modifying the "adduser"
> > script.. and if it this option doesn't exist, shouldn't it be added or is it just
> > me who want my homedir secure from other users? ;)
> 
> The adduser script does not determine the permissions on the home directoyr.
> The pw command does that, adduser just calls pw.
> 
> I don't know, but perhaps if you change the permissions on /usr/share/skel
> itself, the new directories created from it will have those permissions
> (I haven't tried this, so I could be wrong).
> 
> pw doesn't seem to have an option to change the permissions on the home
> directory at creation time.  Possibly an option could be added to adduser,
> that reads the desired permissions from adduser.conf and changes them
> after creation?

Here's something I did back in 2002 for just this purpose.  It is for
the 4.x adduser Perl script only - I've never ported it to the 5.x
adduser shell script, since I've never actually *used* it ever since its
conception :)

Still, if it could be of some help to anyone, here it is.

G'luck,
Peter

Index: src/usr.sbin/adduser/adduser.perl
===================================================================
RCS file: /home/ncvs/src/usr.sbin/adduser/adduser.perl,v
retrieving revision 1.44.2.4
diff -u -r1.44.2.4 adduser.perl
--- src/usr.sbin/adduser/adduser.perl	15 Feb 2002 17:31:15 -0000	1.44.2.4
+++ src/usr.sbin/adduser/adduser.perl	18 Feb 2002 14:12:46 -0000
@@ -41,6 +41,7 @@
     $config_read = 1;		# read config file
     $logfile = "/var/log/adduser"; # logfile
     $home = "/home";		# default HOME
+    $home_perm = "u+wrX,go-w";	# default permissions on HOME
     $etc_shells = "/etc/shells";
     $etc_passwd = "/etc/master.passwd";
     $group = "/etc/group";
@@ -221,6 +222,33 @@
     return 0;
 }
 
+# return the default permissions' string for HOME
+sub home_permissions {
+    local($perm) = @_;
+    local($p) = $perm;
+
+    return $p if !$verbose && $p eq &home_permissions_valid($p);
+
+    while(1) {
+	$p = &confirm_list("Enter your default HOME permissions:", 1, $perm, "");
+	last if $p eq &home_permissions_valid($p);
+    }
+
+    $changes++ if $p ne $perm;
+    return $p;
+}
+
+# check for valid permissions
+sub home_permissions_valid {
+    local($perm) = @_;
+
+    if ($perm =~ /^((([ugo]+[+-][rwxX]+),?)+)/) {
+	return $1;
+    } else {
+	return "";
+    }
+}
+
 # check for valid passwddb
 sub passwd_check {
     system(@pwd_mkdb, '-C', $etc_passwd);
@@ -953,7 +981,8 @@
 	if (!mkdir("$homedir", 0755)) {
 	    warn "$dir: $!\n"; return 0;
 	}
-	system 'chown', "$name:$group", $homedir;
+	system('chmod', $home_perm, $homedir);
+	system('chown', "$name:$group", $homedir);
 	return !$?;
     }
 
@@ -961,7 +990,7 @@
     # rename 'dot.foo' files to '.foo'
     print "Copy files from $dotdir to $homedir\n" if $verbose;
     system('cp', '-R', $dotdir, $homedir);
-    system('chmod', '-R', 'u+wrX,go-w', $homedir);
+    system('chmod', '-R', $home_perm, $homedir);
     system('chown', '-Rh', "$name:$group", $homedir);
 
     # security
@@ -1365,6 +1394,9 @@
 # default HOME directory ("/home")
 home = "$home"
 
+# default permissions on HOME ("u+wrX,go-w")
+home_perm = "$home_perm";
+
 # List of directories where shells located
 # path = ('/bin', '/usr/bin', '/usr/local/bin')
 path = ($shpath)
@@ -1425,6 +1457,7 @@
 &shells_add;			# maybe add some new shells
 $defaultshell = &shell_default;	# enter default shell
 $home = &home_partition($home);	# find HOME partition
+$home_perm = &home_permissions($home_perm); # set HOME permissions
 $dotdir = &dotdir_default;	# check $dotdir
 $send_message = &message_default;   # send message to new user
 $defaultpasswd = &password_default; # maybe use password

-- 
Peter Pentchev	roam at ringlet.net    roam at cnsys.bg    roam at FreeBSD.org
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
This sentence contradicts itself - or rather - well, no, actually it doesn't!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20041022/a50736e8/attachment.bin

More information about the freebsd-security mailing list