On Thu, Feb 17, 2011 at 03:31:18PM +0100, Olaf van der Spek wrote: > On Thu, Feb 17, 2011 at 2:44 PM, Ian Jackson > <email@example.com> wrote: > > Olaf van der Spek writes ("Default Homedir Permissions"): > >> Default homedir permissions are 755. World-readable (and listable). > >> Common (security) sense says that permissions that are not required > >> should not be granted. For example, accounts mysql and www-data should > >> not have access to my documents. > > > > I disagree with this conclusion, because I disagree with the > > underlying implication that the general readability of files is not > > needed. > > > Most installed systems have a smallish number of users who know each > > other reasonably well and would like to be able to share files. It … > > So the default is correct. > > > > Perhaps it might be reasonable to try to find a way for accounts like > > msql and www-data not to be able to access home directories (add > > "daemon" to their supplementary group list and set the permissions of > > /home 0705 to root.daemon, perhaps), but is this really worthwhile ? > > That would be another violation of general security principles (access > control based on exlcusion instead of inclusion); There are obviously differences of opinion in our expectations of "how secure" a default installation should be. Should it be locked down like Fort Knox? Should it be generally usable, and easy for users to see each other's stuff? In general, I think it's fair to say that the average Debian installation does not require Fort Knox levels of security. Simply allowing other people to read our files is often something desirable; if I have something especially secret, I'll take steps to make sure it's not readable or writeable by anyone except me. But in general, it's not a bad thing that others can see my stuff. I can always keep private things in a 0700 subdirectory. Even on the massively shared systems I use, it's common for home directories to be readable by default, so you can let other people access your data, scripts, git repos, or whatever. I can see that in some circumstances you might well want total control over who can see your files, but unless you're dealing with TOP SECRET stuff, I am not convinced that this is something the typical user would wish to have by default. Are there any common use cases which require this? Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
Description: Digital signature