Re: Disallow other users from reading my $HOME

To: debian-user@lists.debian.org
Subject: Re: Disallow other users from reading my $HOME
From: Bob McGowan <bob_mcgowan@symantec.com>
Date: Thu, 07 Jan 2010 08:09:49 -0800
Message-id: <[🔎] 4B46074D.2070507@symantec.com>
In-reply-to: <[🔎] 2d0a59b21001061733h24f43a9fr98c833ae8decc722@mail.gmail.com>
References: <[🔎] 880dece01001061316p715c0252i64a5b943bd1cfb18@mail.gmail.com> <[🔎] 20100106213046.GL9728@swansys> <[🔎] 2d0a59b21001061359y8ae4c4co4035e2e75b3638de@mail.gmail.com> <[🔎] 20100106224055.GM9728@swansys> <[🔎] 2d0a59b21001061605k6d2b9afx4278c68f098173a@mail.gmail.com> <[🔎] 20100107002916.GP9728@swansys> <[🔎] 2d0a59b21001061733h24f43a9fr98c833ae8decc722@mail.gmail.com>

Ken Teague wrote:
> On Wed, Jan 6, 2010 at 4:29 PM, green <greenfreedom10@gmail.com> wrote:
>> Okay, I was assuming recursion because I have a ~/public_html and symlinks from
>> it to other files scattered in my $HOME and so a "chmod 700 $HOME" would just
>> break stuff.  Otherwise, just changing $HOME permissions is an excellent
>> solution.
> 
> Great point.  "chmod 700 $HOME" would make ~/public_html to be not so
> public, since, on a Debian box, apache runs under the www-data
> account. :)  So, if Mr. Cohen has such a configuration, he would need
> to relocate his ~/public_html directory (along with all symlinked
> scripts or binaries) to a public location that can be accessed by the
> www-data account, and modify his apache configuration accordingly.  I
> have an account on freeshell.net that is configured like this:
> 
> [501]itsme@iceland:~$ ls -ld $HOME
> drwx------  16 itsme  arpa  1024 Oct 21 18:39 /arpa/nl/i/itsme
> [502]itsme@iceland:~$ ls -l html
> lrwx------  1 itsme  arpa  16 Jan 26  2009 html -> /www/am/i/itsme
> [503]itsme@iceland:~$ ls -ld /www/am/i/itsme
> drwxr-x--x  4 itsme  nobody  512 Oct 30 19:37 /www/am/i/itsme
> 
> This, to me, looks like the most elegant approach.
> 

Actually, this is the sort of situation where a $HOME permission of 711
would be useful.  Disallowing wild card based access but if the full
name is known, the file can be read (assuming it has the correct
permissions, of course).

You could even go so far as to set the group ownership of $HOME to the
www-data group and set $HOME to be 710.

-- 
Bob McGowan

Reply to:

Follow-Ups:
- Re: Disallow other users from reading my $HOME
  - From: Roger Leigh <rleigh@codelibre.net>
- Re: Disallow other users from reading my $HOME
  - From: Tom Furie <tom@furie.org.uk>

References:
- Disallow other users from reading my $HOME
  - From: Dotan Cohen <dotancohen@gmail.com>
- Re: Disallow other users from reading my $HOME
  - From: green <greenfreedom10@gmail.com>
- Re: Disallow other users from reading my $HOME
  - From: Ken Teague <kteague@pobox.com>
- Re: Disallow other users from reading my $HOME
  - From: green <greenfreedom10@gmail.com>
- Re: Disallow other users from reading my $HOME
  - From: Ken Teague <kteague@pobox.com>
- Re: Disallow other users from reading my $HOME
  - From: green <greenfreedom10@gmail.com>
- Re: Disallow other users from reading my $HOME
  - From: Ken Teague <kteague@pobox.com>

Prev by Date: Re: apt-get source produces gpg error. Can't check signature: public key not found
Next by Date: Re: KVM networking
Previous by thread: Re: Disallow other users from reading my $HOME
Next by thread: Re: Disallow other users from reading my $HOME
Index(es):
- Date
- Thread