Re: harden-debian script?
On Wed, Oct 25, 2000 at 05:15:34PM -0700, Matthew Whitworth wrote:
>
> > user home directories (IMHO) should have the permissions 700.
> >
> > After I install new debian boxes the permissions are always something
> > like 755. This is bad in my opinion, for a multiuser box. On firewalls,
> > however, there should be very few people logging in at all and then only
> > to administer the box, not to read mail or anything like that. Therefore
> > this isn't much of an issue for firewall installs.
> >
> > Does anyone know why debian has such lax perms on home dirs?
>
> This seems to be determined in the adduser command, where I found the
> line:
>
> 482: my $default_dir_mode = 0755;
>
> There doesn't seem to be any way to configure this other than editing the
> code.
>
> While I'm interested in the problem, I have to say I would rather see this
> configurable in /etc/adduser.conf or from the command line rather than
> hard coded at 0700 or any other value.
Yes it would be much better if it was configurable in /etc/adduser.conf
That's probably why it is..
/etc/adduser.conf:51
# If DIR_MODE is set, directories will be created with the specified
# mode. Otherwise the default mode 0755 will be used.
DIR_MODE=0755
If I change this to 0700 ...
Adding user foobar...
<snip>
drwx------ 2 foobar foobar 4096 Oct 25 14:37 /home/foobar
Whether or not the permissions should be something OTHER than 0755 (the
default), is more of a matter of site policy..
Has anyone filed a wishlist bug on adduser?
I'm on Debian/woody, with adduser 3.19, perhaps this option is not available
in potato(stable) but considering that IIRC, that was only a few minor
releases away.. I'd find that a bit unlikely..
--
+-------------------------------------------------------------
| Brian Russo <brusso@phys.hawaii.edu> GPG ID: 54D81666
| 404E 87E8 DD0C 275B 742B 09AD 2243 839C 54D8 1666
Reply to: