Re: Disallow other users from reading my $HOME

To: debian-user@lists.debian.org
Subject: Re: Disallow other users from reading my $HOME
From: Ken Teague <kteague@pobox.com>
Date: Wed, 6 Jan 2010 16:05:21 -0800
Message-id: <[🔎] 2d0a59b21001061605k6d2b9afx4278c68f098173a@mail.gmail.com>
In-reply-to: <[🔎] 20100106224055.GM9728@swansys>
References: <[🔎] 880dece01001061316p715c0252i64a5b943bd1cfb18@mail.gmail.com> <[🔎] 20100106213046.GL9728@swansys> <[🔎] 2d0a59b21001061359y8ae4c4co4035e2e75b3638de@mail.gmail.com> <[🔎] 20100106224055.GM9728@swansys>

On Wed, Jan 6, 2010 at 2:40 PM, green <greenfreedom10@gmail.com> wrote:
> But he probably doesn't want all his files marked as executable.

"chmod 700 $HOME" will change only the home directory permissions,
which excludes all files that are currently present.

itsme@testbox:~> ls -ld $HOME
drwx------ 19 itsme users 4096 2009-10-13 21:38 /home/itsme
itsme@testbox:~> ls -l $HOME
total 4512
drwx------ 2 itsme users    4096 2009-03-25 18:56 Desktop
-rwxr-xr-x 1 itsme users     541 2009-10-13 20:58 freespace.pl
-rw-r--r-- 1 itsme users    9214 2009-07-20 19:05 stat.txt
drwxr-xr-x 3 itsme users      45 2009-11-18 14:55 tmp
-rw-r--r-- 1 itsme users  210964 2009-02-18 21:26 VRTSralusPatch.tar.gz
-rw-r--r-- 1 itsme users   19539 2009-07-16 18:10 xmacro-pre0.3-20000911.tar.gz
-rw-r--r-- 1 itsme users 4362344 2009-07-16 18:10 xnee-3.03.tar.gz
itsme@testbox:~> su -
Password:
testbox:~ # su - otheruser
testbox /home/otheruser> grep users /etc/group
users:x:100:otheruser
testbox /home/otheruser> less /home/itsme/freespace.pl
/home/itsme/freespace.pl: Permission denied

> $ umask 0077
> $ touch abc
> $ ls -lh abc
> -rw------- 1 user user 0 2010-01-06 16:36 abc

umask 0077 will do exactly as you've shown.  It will ensure all future
files will be mode 600.  If a file needs the execute bit, it should be
set manually.  Files that are included in an archive with the execute
bit set will retain it upon expanding the archive.

testbox /home/otheruser> exit
logout
testbox:~ # exit
logout
itsme@testbox:~> umask 0077
itsme@testbox:~> touch myscript.pl
itsme@testbox:~> ls -l myscript.pl
-rw------- 1 itsme users 0 2010-01-06 18:41 myscript.pl
itsme@testbox:~> chmod 700 myscript.pl
itsme@testbox:~> ls -l myscript.pl
-rwx------ 1 itsme users 0 2010-01-06 18:41 myscript.pl
itsme@testbox:~> tar cvjf myscript.pl.tar.bz2 myscript.pl
myscript.pl
itsme@testbox:~> ls -l mys*
-rwx------ 1 itsme users       0 2010-01-06 18:41 myscript.pl
-rw------- 1 itsme users     128 2010-01-06 18:42 myscript.pl.tar.bz2
itsme@testbox:~> rm myscript.pl
itsme@testbox:~> tar xvjf myscript.pl.tar.bz2
myscript.pl
itsme@testbox:~> ls -l myscript.pl
-rwx------ 1 itsme users 0 2010-01-06 18:41 myscript.pl

If you really want to be paranoid, you could set umask to 0277 so that
all files are mode 400.

> So I change my suggestion to
>  u=rwX,g=,o=

This is an answer more suited to meet the needs of Mr. Cohen, but X is
normally intended to be used with -R (recursive) so that all files
that currently contain an execute bit retain that bit, and those that
don't are not set to contain the execute bit.  I'd simply use "chmod
700 $HOME" and call it a day.

> Is that possible with numeric form (the execute bit)?

Not from my research.  If anyone knows, please share.

Reply to:

Follow-Ups:
- Re: Disallow other users from reading my $HOME
  - From: green <greenfreedom10@gmail.com>

References:
- Disallow other users from reading my $HOME
  - From: Dotan Cohen <dotancohen@gmail.com>
- Re: Disallow other users from reading my $HOME
  - From: green <greenfreedom10@gmail.com>
- Re: Disallow other users from reading my $HOME
  - From: Ken Teague <kteague@pobox.com>
- Re: Disallow other users from reading my $HOME
  - From: green <greenfreedom10@gmail.com>

Prev by Date: Re: how to get mac address
Next by Date: Re: Disallow other users from reading my $HOME
Previous by thread: Re: Disallow other users from reading my $HOME
Next by thread: Re: Disallow other users from reading my $HOME
Index(es):
- Date
- Thread