Re: user private groups and a src group
Andrew Repton writes:
> Firstly let me say that we are considering this proposal at work as it
> appears to solve our problems regarding project access.
>
> During the consideration an interesting point was raised. Our network is
> soon to be on the Internet. It has been stated elsewhere that it is a
> *BAD THING* to have as default world readable files, as this allows
> potential hackers (in the newspaper sense of the word) access to
> information that could be used in their hacking. The 'traditional' way
> around this would be to place our local users in a local group, so that
> they can read the necessary files and make the umask 027. If we use the
> proposal then the above does not work. So what is the best way of
> approaching the problem of giving read access to local users whilst
> keeping out non-local users?
Err, I'm not quite sure what access method you think these crackers
are going to be using. Any access methods that come from outside
(world-exported NFS and anonymous FTP, for example) should be
restricted to certain "published" portions of the filesystem. For
starters, NFS allows the remote host to claim any identity it desires
for its users and be believed.
However, if (for example) you have a few guest users who shouldn't see
the project files or some of the home directories you can do something
like:
drwxr-s--- 41 root local 512 Mar 3 11:59 /project
drwxrwsr-x 41 root wallaby 512 Mar 3 11:59 /project/wallaby
drwxrwsr-x 41 root koala 512 Mar 3 11:59 /project/koala
drwxr-s--- 41 root local 512 Mar 3 11:59 /home/local
drwxrwsr-x 41 bill bill 512 Mar 3 11:59 /home/local/bill
drwxrwsr-x 41 alice alice 512 Mar 3 11:59 /home/local/bill
drwxr-sr-x 41 root guest 512 Mar 3 11:59 /home/guest
drwxrwsr-x 41 ijackson ijackson 512 Mar 3 11:59 /home/guest/ijackson
Ian.
Reply to: