[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why can't I?



On Wed, 13 Jun 2001 16:40:56 +0200, "Auke van der Gaast" <deflect@chello.nl>
wrote:

> I'm trying to restrict users' access to only their home dir 
> (I don't want them to be able to see or reach / or even /home )
>     I've already wasted half a day on just that, I'd really appreciate 
> it if anyone could tell me what to do.

I'd hate to see this thread to die without chucking my 2p into the pot (this
is just for fun, OK ?) :  what Auke asks is a perfectly *reasonable* thing,
but (as other posters have pointed out) unfortunately not generally
considered a good idea on Unix.

Auke's suggestion is in perfect accord with the generally accepted best
practice security stance : whatever has not been explicitly allowed should
be implicitly denied.  It's a variation of security through obscurity, and
as such is usually deemed as being of little absolute value by security
geeks because a determined & competent attacker will not be slowed much by
it ... but it still helps.

My personal opinion is that the multiple users of a system should never be
able to even detect the existence of what each other has (never mind see the
content) unless the owner has granted that permission.

And they shouldn't be able to *list* the contents of system software areas
at all, even if they're allowed to *execute* them.

However, in my experience the only systems that actually deliver that
possibility have been the mainframe operating systems I used to work on.

All Unixen I've seen (not to mention Windows NT & family) have not only
defaulted to a very open stance (indeed said to date from Unix's development
by geeks for geeks in a nice safe lab environment where you want everyone to
see your stuff easily) but (as aperrin@email.unc.edu pointed out) also
actually *break* if you try to remove apparently unnecessary access from
system objects.

The security model of Unix (and NT) is just too primitive (no offence to
anyone intended) to support the Right Thing.  ACLs do improve the ballgame a
lot, for those Un*xen that provide them, but the bare-bones Unix permissions
system is very difficult to lock down.  Sigh.

Actually, thinking about it, IIRC even VMS seems to default to
"all-objects-world-readable", out-of-the-box.

Some comments on other posters' words:

hallstevenson@mindspring.com said :
>> consider again. *why* do you want to do this?
>
> Sounds like a serious trust, or lack of, problem... ;-) 

Yes - that's it - in the business world anyway.

> The users should be educated on what they can and can't do.

Hopeless goal, unless you've only got your friends to worry about.

> This is going to an extreme.

Not really - it's not a big deal, but *is* the Right Thing to do.

esper@sherohman.org said :

> Even outside of the Open Source/Free Software circles, 
> *nix culture has, IMO, always seemed very oriented towards 
> sharing and collaboration.  It seems natural to me, then, 
> that home directories would traditionally have permissions 
> set such that their contents can be shared and collaborated 
> upon.

In an ideal world, yes.  My comments are aimed at the grim reality of
administering the typical production system in the commercial world.

> ... in general, users need to see other directories, like 
> /bin and /etc. There are some convoluted ways to do what 
> you want, but you have to decide for yourself whether tiny 
> gain in security is worth the significant effort and deep 
> understanding needed to do it.

For Un*x (and NT) systems I agree with you.  Other OS's *can* deliver such
protection without any difficulty.

noahm@debian.org said :

> Why do you wish to do that?  Have you some specifically 
> top-secret system you're trying to run?  Never, not 
> even on commercial shell servers, have I seen such a 
> setup.  ...

I've seen this many times, but only on "proper" operating systems ... er, I
mean old dinosaur mainframes  :-)

> ... It's just not the way things are done in Unix. 

Agreed.

casper@huiscomputer.homeip.net said :

> if you're just trying to make your box more secure 
> what you're trying to do won't help much.

Agreed - but it helps a bit.

If a Black Hat breaks into a normal user account on a Un*x, typically their
first action is to trawl the whole filesystem looking for suid root / sgid
something binaries to abuse - they shouldn't be able to do that - they
should have to know/guess whether they exist, and where they are - then we
move the binaries to a non-standard location ... ok, ok, the binaries
shouldn't be breakable in the first place ...


What Auke needs is Big Iron, in a large room with a huge electricity supply
and lots of cooling :-)

[ Don't get me wrong - I like Unix - I even use it at home ... ]

Cheers,
Nick Boyce (Chief Luddite)
Bristol, UK
--
"A *real* smart bomb would call in sick, perhaps move to another
country, changing its name in the process, open a beach bar maybe
and live out its days in safe anonymity."  -- Barry O'Neill in rhod



Reply to: