[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Getting rights right

Hi Bob,

First thank you for the detailed answer, you kind of preventively
answered to all my doubts or interrogations. :)

I try to set up a new line of security (files and network) as I just
changed country and instead of being in one mostly targeting others, I
am now in one mostly targeted by others. :D

>> I have a strange behavior lately on my Deby. After a run of :
>>     chown user:user -R /home/user/Documents
>> and :
>>     chmod 700 -R /home/user/Documents
> Unfortunately that command was a mistake.  That will set rwx for owner
> on all files unconditionally.  For directories that is fine.  But that
> is not correct for files.  Only executables and executable scripts
> should have the execute bit set upon them.
> What you wanted to set was:
>   chmod -R u+rwX,go-rwx /home/user/Documents

I ran this command to restart the process :

     find /home/user/Documents -type f -exec chmod u+rw,go-rwx -R {} \;

and will make executable all following files according the needs.

> The capital 'X' is the trick.  The GNU chmod documentation on this says:
>   27.2.4 Conditional Executability
>   --------------------------------
>   There is one more special type of symbolic permission: if you use `X'
>   instead of `x', execute/search permission is affected only if the file
>   is a directory or already had execute permission.
>      For example, this mode:
>        a+X
>   gives all users permission to search directories, or to execute files if
>   anyone could execute them before.

Yeah I did see that in the man pages but I had too much files with
hazardous rights to trust this command.

> But wait!  There's more.

Be sure I'm not going anywhere. :D

> That is usually called UPG (User Private Group).
>>     chown user:user -R /home/user/Documents
> And so that group should belong to the user.  Most importantly that
> group should belong *solely* to the user.  No other users should be in
> that group.  Therefore the better thing to do is to keep the group
> permissions when removing other permissions.
>   chmod -R o-rwx /home/user/Documents
> Then you don't need to do anything more.  That would correspond to a
> user "umask 07" setting.  better set "umask 07" or new files will be
> created with permissions you are trying to avoid.
> Personally I always use "umask 02" and then only add extra protection
> to specific files and directories that I want.
> And of course all of this is only important if you are operating on a
> multiuser server that has other people logging into it as non-root.
> (Root does not matter in either case.  You can't protect yourself from
> root.)  If this is on your personal laptop and no one else logs in
> then none of this matters aand I would stick with the Debian UPG
> default along with the default "umask 02".

After reading this, I actually found that :

umask and level of security : The umask command be used for setting
different security levels as follows:

umask value	Security level	Effective permission (directory)
022		Permissive	755
026		Moderate	751
027		Moderate	750
077		Severe		700

in there :

And I was planning to set a "severe" security plan. Based on the
thinking that I have 3 computers (that only I use) to run behind a box
and that I thought wiser to set them to the maximum security first, find
out what they will exchange in second and then update the permissions
accordingly, as I have very little impact on the box security.

I then opted for the umask 077. I'm not sure if it's really justified
but it couldn't do no harm.. I guess. :)

> If you want to verify what chmod is doing the GNU chmod command has
> the -v extension.  It will echo print what it is doing while it is
> doing it.  Adding the -v would show helpful information.  For example:
>   $ chmod -v -R 700 junk
>   mode of `junk' retained as 0700 (rwx------)
>   mode of `junk/junk2' retained as 0700 (rwx------)
>   mode of `junk/junk2/file1' changed to 0700 (rwx------)

I always forget to use that functionality. ^^

>> I run :
>>     find /home/user/Documents ! -perm 0700
> As Linux-fan correctly noted that skips files that match 0700
> exactly.  So that part is working correctly.  What didn't work was the
> chmod 700 part.  But that was good because that isn't want you want to
> do.
> I believe you must have a typo somewhere.  If you double check
> everything you will find it.  However!  As I explained you do not want
> to chmod 700 all of your files recursively.  That would be bad.  So
> take it as a good miss and don't do it again.

Strangely, it seems that using symbolic mode instead of octal solved my
issue : all files are treated and I have no random results anymore.

Very thanks for your lights again, any indicators are always
<blink>welcomed</blink>. :)

“One original thought is worth a thousand mindless quotings.”
“Le vrai n'est pas plus sûr que le probable.”

                                              Diogene Laerce

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: