Re: harden-debian script?
> I'm on Debian/woody, with adduser 3.19, perhaps this option is not
> available in potato(stable) but considering that IIRC, that was only a
> few minor releases away.. I'd find that a bit unlikely..
Great. But I'm on potato (the production version of Debian, btw), and
you'll just have to take my word that that functionality is not in there.
Thanks for pointing this out, though. No need to add to the wishlist.
For those of you still on potato, here's the culprit:
warsaw:~# grep -C3 -n 02755 `which adduser`
340- &mktree($home_dir) || &cleanup("Couldn't create
$home_dir: $!.\n");
341- chown($new_uid, $new_gid, $home_dir)
342- || &cleanup("chown $new_uid:$new_gid $home_dir: $!\n");
343: $dir_mode = $make_group_also ? 02755 : 0755;
344- chmod ($dir_mode, $home_dir) ||
345- &cleanup("chmod $dir_mode $home_dir: $!\n");
346- }
--
421- &mktree($home_dir) || &cleanup("Couldn't create
$home_dir: $!.\n");
422- chown($new_uid, $new_gid, $home_dir)
423- || &cleanup("chown $new_uid:$new_gid $home_dir: $!\n");
424: $dir_mode = $make_group_also ? 02755 : 0755;
425- chmod ($dir_mode, $home_dir) ||
426- &cleanup("chmod $dir_mode $home_dir: $!\n");
427-
adduser changes the directory's mode after it creates it! Looks like it's
time to do some patching.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
matthew whitworth
matthew@okcomputer.org
On Wed, 25 Oct 2000, Brian Russo wrote:
> On Wed, Oct 25, 2000 at 05:15:34PM -0700, Matthew Whitworth wrote:
> >
> > > user home directories (IMHO) should have the permissions 700.
> > >
> > > After I install new debian boxes the permissions are always something
> > > like 755. This is bad in my opinion, for a multiuser box. On firewalls,
> > > however, there should be very few people logging in at all and then only
> > > to administer the box, not to read mail or anything like that. Therefore
> > > this isn't much of an issue for firewall installs.
> > >
> > > Does anyone know why debian has such lax perms on home dirs?
> >
> > This seems to be determined in the adduser command, where I found the
> > line:
> >
> > 482: my $default_dir_mode = 0755;
> >
> > There doesn't seem to be any way to configure this other than editing the
> > code.
> >
> > While I'm interested in the problem, I have to say I would rather see this
> > configurable in /etc/adduser.conf or from the command line rather than
> > hard coded at 0700 or any other value.
>
> Yes it would be much better if it was configurable in /etc/adduser.conf
> That's probably why it is..
>
> /etc/adduser.conf:51
> # If DIR_MODE is set, directories will be created with the specified
> # mode. Otherwise the default mode 0755 will be used.
> DIR_MODE=0755
>
> If I change this to 0700 ...
> Adding user foobar...
> <snip>
> drwx------ 2 foobar foobar 4096 Oct 25 14:37 /home/foobar
>
> Whether or not the permissions should be something OTHER than 0755 (the
> default), is more of a matter of site policy..
>
> Has anyone filed a wishlist bug on adduser?
>
> I'm on Debian/woody, with adduser 3.19, perhaps this option is not available
> in potato(stable) but considering that IIRC, that was only a few minor
> releases away.. I'd find that a bit unlikely..
>
>
> --
> +-------------------------------------------------------------
> | Brian Russo <brusso@phys.hawaii.edu> GPG ID: 54D81666
> | 404E 87E8 DD0C 275B 742B 09AD 2243 839C 54D8 1666
>
Reply to: