Hi Bob, First thank you for the detailed answer, you kind of preventively answered to all my doubts or interrogations. :) I try to set up a new line of security (files and network) as I just changed country and instead of being in one mostly targeting others, I am now in one mostly targeted by others. :D >> I have a strange behavior lately on my Deby. After a run of : >> chown user:user -R /home/user/Documents >> and : >> chmod 700 -R /home/user/Documents > > Unfortunately that command was a mistake. That will set rwx for owner > on all files unconditionally. For directories that is fine. But that > is not correct for files. Only executables and executable scripts > should have the execute bit set upon them. > > What you wanted to set was: > > chmod -R u+rwX,go-rwx /home/user/Documents I ran this command to restart the process : find /home/user/Documents -type f -exec chmod u+rw,go-rwx -R {} \; and will make executable all following files according the needs. > The capital 'X' is the trick. The GNU chmod documentation on this says: > > 27.2.4 Conditional Executability > -------------------------------- > > There is one more special type of symbolic permission: if you use `X' > instead of `x', execute/search permission is affected only if the file > is a directory or already had execute permission. > > For example, this mode: > > a+X > > gives all users permission to search directories, or to execute files if > anyone could execute them before. Yeah I did see that in the man pages but I had too much files with hazardous rights to trust this command. > But wait! There's more. Be sure I'm not going anywhere. :D > That is usually called UPG (User Private Group). >> chown user:user -R /home/user/Documents > > And so that group should belong to the user. Most importantly that > group should belong *solely* to the user. No other users should be in > that group. Therefore the better thing to do is to keep the group > permissions when removing other permissions. > > chmod -R o-rwx /home/user/Documents > > Then you don't need to do anything more. That would correspond to a > user "umask 07" setting. better set "umask 07" or new files will be > created with permissions you are trying to avoid. > > Personally I always use "umask 02" and then only add extra protection > to specific files and directories that I want. > > And of course all of this is only important if you are operating on a > multiuser server that has other people logging into it as non-root. > (Root does not matter in either case. You can't protect yourself from > root.) If this is on your personal laptop and no one else logs in > then none of this matters aand I would stick with the Debian UPG > default along with the default "umask 02". After reading this, I actually found that : umask and level of security : The umask command be used for setting different security levels as follows: umask value Security level Effective permission (directory) 022 Permissive 755 026 Moderate 751 027 Moderate 750 077 Severe 700 in there : http://www.cyberciti.biz/tips/understanding-linux-unix-umask-value-usage.html And I was planning to set a "severe" security plan. Based on the thinking that I have 3 computers (that only I use) to run behind a box and that I thought wiser to set them to the maximum security first, find out what they will exchange in second and then update the permissions accordingly, as I have very little impact on the box security. I then opted for the umask 077. I'm not sure if it's really justified but it couldn't do no harm.. I guess. :) > If you want to verify what chmod is doing the GNU chmod command has > the -v extension. It will echo print what it is doing while it is > doing it. Adding the -v would show helpful information. For example: > > $ chmod -v -R 700 junk > mode of `junk' retained as 0700 (rwx------) > mode of `junk/junk2' retained as 0700 (rwx------) > mode of `junk/junk2/file1' changed to 0700 (rwx------) I always forget to use that functionality. ^^ >> I run : >> find /home/user/Documents ! -perm 0700 > > As Linux-fan correctly noted that skips files that match 0700 > exactly. So that part is working correctly. What didn't work was the > chmod 700 part. But that was good because that isn't want you want to > do. > [...] > I believe you must have a typo somewhere. If you double check > everything you will find it. However! As I explained you do not want > to chmod 700 all of your files recursively. That would be bad. So > take it as a good miss and don't do it again. Strangely, it seems that using symbolic mode instead of octal solved my issue : all files are treated and I have no random results anymore. Very thanks for your lights again, any indicators are always <blink>welcomed</blink>. :) -- “One original thought is worth a thousand mindless quotings.” “Le vrai n'est pas plus sûr que le probable.” Diogene Laerce
Attachment:
signature.asc
Description: OpenPGP digital signature