[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: file/dir rights management



On Sun, Sep 05, 2004 at 03:40:38AM +0200, Martin Henne wrote:
> Hi all,
> 
> On my system I want to keep users from browsing the '/home' directory.
> Unfortunately, when I do a 'chmod o-r /home', the user can't login via
> ftp anymore. When the user logs in via ssh, he gets the root directory
> as its home. He can, however, do a 'cd /home/myhome' then, and then he
> is in his homedirectory.
Why?


(1) If you just want people to not read other people's files, just put:

UMASK	077

in /etc/login.defs, then users will have to go out of their way to make
files world readable.


There are way to many ways to find out who exists. Examples:

ls /home
cat /etc/passwd
finger @localhost
ps -e			# Only works for logged in users
who			# ditto
last
lastb

> Similiar with the '/etc' directory. I know, that
> a normal user cannot change or read passwords,
> but I want him not to to browse the contents 
> of '/etc'. Can I do this without breaking his
> ability to login?

No.

/etc is open for all by design. Bash must be able to find
/etc/bash.bashrc
etc to work the Debian way. Most debian programs keep their system-wide
configuration in /etc as per the FHS. Many programs need /etc/passwd
access, such as ls. (Do you want you users to log in and wonder who this
"1003" person is who 0wns all their files?)

Besides, users probably want to know what they have available. If you
block /etc, they can use other means to figure out what is there.
(locate, dpkg -L, etc..)

-- 
The world's most effective spam filter:
        ln -sf /dev/full /var/mail/$USER



Reply to: