Re: Things I Don't Understand About Debian

To: Carlos Mennens <carloswill@gmail.com>
Cc: Debian <debian-user@lists.debian.org>
Subject: Re: Things I Don't Understand About Debian
From: Roger Leigh <rleigh@codelibre.net>
Date: Wed, 23 Feb 2011 22:11:20 +0000
Message-id: <[🔎] 20110223221120.GA1521@codelibre.net>
In-reply-to: <[🔎] AANLkTi=X5zHBuqRV41Sf5x-qra3SiUzGB+jiCrcOatmx@mail.gmail.com>
References: <[🔎] AANLkTi=X5zHBuqRV41Sf5x-qra3SiUzGB+jiCrcOatmx@mail.gmail.com>

On Wed, Feb 23, 2011 at 04:11:25PM -0500, Carlos Mennens wrote:
> 1. Screen from console is not cleared as root or regular user once you log
> out.

If you use bash, add this to ~/.bash_logout:

case "$(tty)" in
    /dev/tty[0-9][0-9]*) clear
esac

You could also get getty do the blanking as well if you wanted; it
might even already be a configurable option.  Or, you can just add a
form feed to the top of /etc/issue.

> 2. Users home directories get created with 755 permissions. Anyone can
> access your home directory and files.

Yes, other users can read (not modify) files.  This is by design.
You can set a different default by modifying DIR_MODE in
/etc/adduser.conf.  This was discussed just last week on -devel.

Some people do want stricter permissions e.g. 0750, 0700.  Debian can't
provide a default that will satisfy everyone.  But if you're unhappy
with the default, it's easy enough to change.  Who are you worried will
be reading all your files?

(I'm in the camp that prefers 0755; if I want to keep something
private, I'll put it in a subdirectory with 0750 permissions.  I find
being able to share and collaborate with other users on the same
system a boon, akin to leaving the blind up so people can look in,
rather than bricking up the window.)

> 3. Debian installer defaults to creating user group names which is just a
> mess.

This is good security practice.  Every file and directory you create
is owned by a user and a group.  Having a user-private group means
every file you create is owned by you, and you can then opt to change
the group and perms.  It's important when you're working in a
multiuser environment, and does no harm for single user systems.
Having a generic "users" group that's used by all users for all files
is in fact far less secure than the 0755 permissions.

http://wiki.debian.org/UserPrivateGroups

Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Things I Don't Understand About Debian
  - From: Carlos Mennens <carloswill@gmail.com>

Prev by Date: Re: Debian Multi-Media.
Next by Date: Re: Where is the trust?
Previous by thread: Things I Don't Understand About Debian
Next by thread: Re: Things I Don't Understand About Debian
Index(es):
- Date
- Thread