Default permissions of /home/user..
Peter Pentchev
roam at ringlet.net
Fri Oct 22 14:49:26 PDT 2004
On Fri, Oct 22, 2004 at 09:55:12AM -0400, Bill Moran wrote:
> "Jesper Wallin" <jesper at hackunite.net> wrote:
>
> > Hello..
> >
> > I've asked this question before without getting any further help really..
> > When a new user is added using "adduser" on 5.x (havn't really checked
> > if it's the same under 4.x or not), the default homedir permission is 755
> > (drwxr-xr-x) which to me, looks a bit insecure? It's of course pretty easy
> > to solve it by a simple chmod, but yet, isn't there anyway to change the
> > default chmod value? Last time I asked about this, people told me to check
> > out the skel directory, but the only thing you can do in there is to change the
> > default chmod value of the files/directories _in_ the homedir, not the chmod
> > values of the actually homedir.. I would be glad if someone could give me
> > further assistanse how do solve this without manually modifying the "adduser"
> > script.. and if it this option doesn't exist, shouldn't it be added or is it just
> > me who want my homedir secure from other users? ;)
>
> The adduser script does not determine the permissions on the home directoyr.
> The pw command does that, adduser just calls pw.
>
> I don't know, but perhaps if you change the permissions on /usr/share/skel
> itself, the new directories created from it will have those permissions
> (I haven't tried this, so I could be wrong).
>
> pw doesn't seem to have an option to change the permissions on the home
> directory at creation time. Possibly an option could be added to adduser,
> that reads the desired permissions from adduser.conf and changes them
> after creation?
Here's something I did back in 2002 for just this purpose. It is for
the 4.x adduser Perl script only - I've never ported it to the 5.x
adduser shell script, since I've never actually *used* it ever since its
conception :)
Still, if it could be of some help to anyone, here it is.
G'luck,
Peter
Index: src/usr.sbin/adduser/adduser.perl
===================================================================
RCS file: /home/ncvs/src/usr.sbin/adduser/adduser.perl,v
retrieving revision 1.44.2.4
diff -u -r1.44.2.4 adduser.perl
--- src/usr.sbin/adduser/adduser.perl 15 Feb 2002 17:31:15 -0000 1.44.2.4
+++ src/usr.sbin/adduser/adduser.perl 18 Feb 2002 14:12:46 -0000
@@ -41,6 +41,7 @@
$config_read = 1; # read config file
$logfile = "/var/log/adduser"; # logfile
$home = "/home"; # default HOME
+ $home_perm = "u+wrX,go-w"; # default permissions on HOME
$etc_shells = "/etc/shells";
$etc_passwd = "/etc/master.passwd";
$group = "/etc/group";
@@ -221,6 +222,33 @@
return 0;
}
+# return the default permissions' string for HOME
+sub home_permissions {
+ local($perm) = @_;
+ local($p) = $perm;
+
+ return $p if !$verbose && $p eq &home_permissions_valid($p);
+
+ while(1) {
+ $p = &confirm_list("Enter your default HOME permissions:", 1, $perm, "");
+ last if $p eq &home_permissions_valid($p);
+ }
+
+ $changes++ if $p ne $perm;
+ return $p;
+}
+
+# check for valid permissions
+sub home_permissions_valid {
+ local($perm) = @_;
+
+ if ($perm =~ /^((([ugo]+[+-][rwxX]+),?)+)/) {
+ return $1;
+ } else {
+ return "";
+ }
+}
+
# check for valid passwddb
sub passwd_check {
system(@pwd_mkdb, '-C', $etc_passwd);
@@ -953,7 +981,8 @@
if (!mkdir("$homedir", 0755)) {
warn "$dir: $!\n"; return 0;
}
- system 'chown', "$name:$group", $homedir;
+ system('chmod', $home_perm, $homedir);
+ system('chown', "$name:$group", $homedir);
return !$?;
}
@@ -961,7 +990,7 @@
# rename 'dot.foo' files to '.foo'
print "Copy files from $dotdir to $homedir\n" if $verbose;
system('cp', '-R', $dotdir, $homedir);
- system('chmod', '-R', 'u+wrX,go-w', $homedir);
+ system('chmod', '-R', $home_perm, $homedir);
system('chown', '-Rh', "$name:$group", $homedir);
# security
@@ -1365,6 +1394,9 @@
# default HOME directory ("/home")
home = "$home"
+# default permissions on HOME ("u+wrX,go-w")
+home_perm = "$home_perm";
+
# List of directories where shells located
# path = ('/bin', '/usr/bin', '/usr/local/bin')
path = ($shpath)
@@ -1425,6 +1457,7 @@
&shells_add; # maybe add some new shells
$defaultshell = &shell_default; # enter default shell
$home = &home_partition($home); # find HOME partition
+$home_perm = &home_permissions($home_perm); # set HOME permissions
$dotdir = &dotdir_default; # check $dotdir
$send_message = &message_default; # send message to new user
$defaultpasswd = &password_default; # maybe use password
--
Peter Pentchev roam at ringlet.net roam at cnsys.bg roam at FreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
This sentence contradicts itself - or rather - well, no, actually it doesn't!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20041022/a50736e8/attachment.bin
More information about the freebsd-security
mailing list