Re: Default Homedir Permissions
On 02/17/2011 10:55 AM, Martin Owens wrote:
On Thu, 2011-02-17 at 15:24 +0000, Roger Leigh wrote:
Yes, but like everything there is a tradeoff. A totally secure system
is an unusable system. Having to instruct every user how to relax the
permissions to allow others to access their files, or allow their web
pages to be visible, is effectively pointless make-work if that was
you wanted in the first place. And for most people, I would argue
/is/ what is wanted.
You don't want to make it harder for users, but this is where design can
help. If we need to make a system which prevents cross user file
attacks, then we could fairly easily implement these things:
* Shared Folder, directory which is available to all users where they
can put explicitly shared contents (MacOSX does this).
Speaking as a (non-Unix) (non-DD and so no authority here)
Administrator who is constantly pestered by auditors & CISO reviews,
I agree with Olaf, and think that Shared Folder is a good way to
make this explicit.
"The normal condition of mankind is tyranny and misery."