[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How do I prevent User 'A' from seeing User 'B' /home contents

On Sun, 2003-10-12 at 18:10, Vineet Kumar wrote:
> * Nick Hastings (hastings@bmail.kek.jp) [031012 01:37]:
> > * Ryan Nowakowski <tubaman@mailandnews.com> [031012 16:56]:
> > > On Fri, Oct 10, 2003 at 10:53:46AM -0500, Wathen, Metherion wrote:
> > > > Hi all,
> > > > I need to know how to change permissions of each user so that
> > > > they only see their own home directory. As I write this i'm thinking
> > > > that I have to change the groups they are in, is that correct?
> > > 
> > > chmod 700 /home/*
> > 
> > Do _not_ do this. You don't want everything to be executable. You
> > just want to remove read permission for everyone except the owner. To
> > do that:
> > 
> > chmod -R go-r /home
> Do _not_ do this.  As a system administrator, you have a responsibility
> to treat your users' data with the highest respect.  Metadata is still
> data.  File ownership and permissions are part of your users' data.
> Trampling them like this is very bad form.
> Any time you think about using -R to things like chown, chgrp, and
> chmod, think first about whose data you're (irreversibly, in most cases)
> changing.  Root has the power to view, change, or remove every user's
> data.  The power, but generally not the right.  I would be a very angry
> user if an administrator of a system I worked on did this type of thing.
> Depending upon the context, I'd either take my dollars elsewhere (if a
> paying customer) or make sure the superiors knew of the abuse of power
> (if a corporate environment).

I agree. Unless you need to enforce a written policy of some sort by
restricting access, these decisions should be left to the users. Show
the users HOW to change their own home directory permissions, but do not
do it for them. If they choose to do it, then they can. Personally, I
believe that information should be shared, so I leave my home directory
world-readable. I only restrict access to those areas that contain
personal or otherwise sensitive information.

Alex Malinovich
Support Free Software, delete your Windows partition TODAY!
Encrypted mail preferred. You can get my public key from any of the
pgp.net keyservers. Key ID: A6D24837

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: