Default permissions of /home/user..
Chuck Swiger
cswiger at mac.com
Sun Oct 24 14:33:56 PDT 2004
Jesper Wallin wrote:
> Sure, this works nice.. but yet, I did have to modify /usr/sbin/adduser .. Also, some of
> you said it's bad having a homedir chmod 700, how come? Let's say I use the account for
> coding, IRC perhaps, mail, etc.. none of those things require more access than 700?
If you want to set up a highly secure user-account, using permissions of 700
is reasonable. However, it may not be sufficient, which is why chroot() and
jails are available to create more restricted environments. One creates a
"bind" user and chroot()s named to run inside /var/named, for example.
You also should think about the umask being used. Historically, the default
umask was 022. You seem to want something like 027 or 077.
> All I can think of is public_html which need o+x so nobody and/or www can access that
> directory.. I know, FreeBSD isn't Linux but most Linux systems run the same programs
> such as postfix, mysql, apache, openssh, etc.. and I know some distributions (like
> gentoo for example) which chmod it to 700 by default.. :)
FreeBSD would prefer you to set up a group for each user, with GID == UID.
This lets you use a umask of 002, and be able to share write access with other
people who are in the same group. This is not significant to the owner of the
file, who has user-mode access as well, but it lets the admin create new
groups for a project, and users can chgrp files they want to share from their
personal GID to the project GID.
--
-Chuck
More information about the freebsd-security
mailing list