Re: Disallow other users from reading my $HOME
Jochen Schulz wrote:
> Ken Teague:
>> In his original e-mail, Mr. Cohen is looking for permissions so that other
>> users can not read or access his data. Correct me if I'm wrong, but that
>> pretty much leaves us with mode 700, umask 077.
>
> Correct me if I am wrong, but for files created inside $HOME, the umask
> doesn't matter if $HOME itself has mode 700.
>
> J.
That's correct. With a home directory of 700, no one except the owner
can find any files, be they directories, links, files, etc., under the
home. Period. Doesn't matter what the permissions are, they can't be
found.
And 700 is not excessively paranoid. Since anyone can belong to a
group, it is possible for the "personal" group to have other names added
to it. Using 700 guarantees they have no access, if this should happen.
An alternative setting I've sometimes used is 711. This allows the
owner to send someone the full, spelled out, path to a file, and they
can get it, but nothing else. Setting things this way could be useful,
for sharing only what needs to be shared, with one caveat: experienced
users know the full path for "hidden" configuration files/directories,
so they would all need to change to 600 (files) or 700 (directories) to
be sure they can't be compromised in some way.
--
Bob McGowan
Reply to: