Re[2]: harden-debian script?

To: Matthew Whitworth <matthew@okcomputer.org>
Cc: debian-firewall@lists.debian.org
Subject: Re[2]: harden-debian script?
From: Kevin <cog@iwz.com>
Date: Wed, 25 Oct 2000 19:48:34 -0700
Message-id: <[🔎] 11239385473.20001025194834@iwz.com>
Reply-to: Kevin <cog@iwz.com>
In-reply-to: <[🔎] Pine.LNX.4.21.0010251702330.6485-100000@warsaw.okcomputer.org>
References: <[🔎] Pine.LNX.4.21.0010251702330.6485-100000@warsaw.okcomputer.org>

>From the adduser manpage:

       If  the file /usr/local/sbin/adduser.local exists, it will
       be executed after the user account  has  been  set  up  in
       order  to  do  any  local  setup.  The arguments passed to
       adduser.local are:
       username uid gid home-directory

So by making /usr/local/sbin/adduser.local look like:
       #!/bin/sh
       chmod 700 $4
you can get the results you want in a round-about way.

-- 
Kevin  -  cog@iwz.com


--


>> user home directories (IMHO) should have the permissions 700.
>>
>> After I install new debian boxes the permissions are always something
>> like 755. This is bad in my opinion, for a multiuser box. On firewalls,
>> however, there should be very few people logging in at all and then only
>> to administer the box, not to read mail or anything like that. Therefore
>> this isn't much of an issue for firewall installs.
>>
>> Does anyone know why debian has such lax perms on home dirs?

> This seems to be determined in the adduser command, where I found the
> line:

> 482:    my $default_dir_mode = 0755;

> There doesn't seem to be any way to configure this other than editing the
> code.

> While I'm interested in the problem, I have to say I would rather see this
> configurable in /etc/adduser.conf or from the command line rather than
> hard coded at 0700 or any other value.

> Cheers!

> Matthew

> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> matthew whitworth
> matthew@okcomputer.org

> On Wed, 25 Oct 2000, Nate Campi wrote:

>> On Wed, 25 Oct 2000, Marcin Owsiany wrote:
>> 
>> > Debian already has right permissions for files containing sensitive data
>> > (e.g. /etc/shadow).
>> > 
>> 
>> I agree with your statement, Marcin, except for one thing:
>> user home directories (IMHO) should have the permissions 700.
>> 
>> After I install new debian boxes the permissions are always something
>> like 755. This is bad in my opinion, for a multiuser box. On firewalls,
>> however, there should be very few people logging in at all and then only
>> to administer the box, not to read mail or anything like that. Therefore
>> this isn't much of an issue for firewall installs.
>> 
>> Does anyone know why debian has such lax perms on home dirs?
>> 
>>   Nate 
>> 
>> 
>> 
>> --  
>> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>> 
>> 


> --  
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- Re: harden-debian script?
  - From: Matthew Whitworth <matthew@okcomputer.org>

Prev by Date: Re: harden-debian script?
Next by Date: Re: harden-debian script?
Previous by thread: Re: harden-debian script?
Next by thread: RE: harden-debian script?
Index(es):
- Date
- Thread