Hi Bob,
First thank you for the detailed answer, you kind of preventively
answered to all my doubts or interrogations. :)
I try to set up a new line of security (files and network) as I just
changed country and instead of being in one mostly targeting others, I
am now in one mostly targeted by others. :D
>> I have a strange behavior lately on my Deby. After a run of :
>> chown user:user -R /home/user/Documents
>> and :
>> chmod 700 -R /home/user/Documents
>
> Unfortunately that command was a mistake. That will set rwx for owner
> on all files unconditionally. For directories that is fine. But that
> is not correct for files. Only executables and executable scripts
> should have the execute bit set upon them.
>
> What you wanted to set was:
>
> chmod -R u+rwX,go-rwx /home/user/Documents
I ran this command to restart the process :
find /home/user/Documents -type f -exec chmod u+rw,go-rwx -R {} \;
and will make executable all following files according the needs.
> The capital 'X' is the trick. The GNU chmod documentation on this says:
>
> 27.2.4 Conditional Executability
> --------------------------------
>
> There is one more special type of symbolic permission: if you use `X'
> instead of `x', execute/search permission is affected only if the file
> is a directory or already had execute permission.
>
> For example, this mode:
>
> a+X
>
> gives all users permission to search directories, or to execute files if
> anyone could execute them before.
Yeah I did see that in the man pages but I had too much files with
hazardous rights to trust this command.
> But wait! There's more.
Be sure I'm not going anywhere. :D
> That is usually called UPG (User Private Group).
>> chown user:user -R /home/user/Documents
>
> And so that group should belong to the user. Most importantly that
> group should belong *solely* to the user. No other users should be in
> that group. Therefore the better thing to do is to keep the group
> permissions when removing other permissions.
>
> chmod -R o-rwx /home/user/Documents
>
> Then you don't need to do anything more. That would correspond to a
> user "umask 07" setting. better set "umask 07" or new files will be
> created with permissions you are trying to avoid.
>
> Personally I always use "umask 02" and then only add extra protection
> to specific files and directories that I want.
>
> And of course all of this is only important if you are operating on a
> multiuser server that has other people logging into it as non-root.
> (Root does not matter in either case. You can't protect yourself from
> root.) If this is on your personal laptop and no one else logs in
> then none of this matters aand I would stick with the Debian UPG
> default along with the default "umask 02".
After reading this, I actually found that :
umask and level of security : The umask command be used for setting
different security levels as follows:
umask value Security level Effective permission (directory)
022 Permissive 755
026 Moderate 751
027 Moderate 750
077 Severe 700
in there :
http://www.cyberciti.biz/tips/understanding-linux-unix-umask-value-usage.html
And I was planning to set a "severe" security plan. Based on the
thinking that I have 3 computers (that only I use) to run behind a box
and that I thought wiser to set them to the maximum security first, find
out what they will exchange in second and then update the permissions
accordingly, as I have very little impact on the box security.
I then opted for the umask 077. I'm not sure if it's really justified
but it couldn't do no harm.. I guess. :)
> If you want to verify what chmod is doing the GNU chmod command has
> the -v extension. It will echo print what it is doing while it is
> doing it. Adding the -v would show helpful information. For example:
>
> $ chmod -v -R 700 junk
> mode of `junk' retained as 0700 (rwx------)
> mode of `junk/junk2' retained as 0700 (rwx------)
> mode of `junk/junk2/file1' changed to 0700 (rwx------)
I always forget to use that functionality. ^^
>> I run :
>> find /home/user/Documents ! -perm 0700
>
> As Linux-fan correctly noted that skips files that match 0700
> exactly. So that part is working correctly. What didn't work was the
> chmod 700 part. But that was good because that isn't want you want to
> do.
>
[...]
> I believe you must have a typo somewhere. If you double check
> everything you will find it. However! As I explained you do not want
> to chmod 700 all of your files recursively. That would be bad. So
> take it as a good miss and don't do it again.
Strangely, it seems that using symbolic mode instead of octal solved my
issue : all files are treated and I have no random results anymore.
Very thanks for your lights again, any indicators are always
<blink>welcomed</blink>. :)
--
“One original thought is worth a thousand mindless quotings.”
“Le vrai n'est pas plus sûr que le probable.”
Diogene Laerce
Attachment:
signature.asc
Description: OpenPGP digital signature