[Debian v3.0 r2] /root & /home/* are worldreadable?!

Posted on 2004-07-30
Last Modified: 2010-04-22
I just want to know if the following is a bug in Debian:

I checked the default (out of the box) permissions of my freshly installed Debian 3.0 r2 installation and found that all directories under /home and the /root are world-readable and world-executable.

Is this normal?

Because I was used to RedHat 8 and all default permissions were 0750 over there...
Question by:dplus
LVL 23

Expert Comment

ID: 11677464
It's completely normal, and is the default for home directories and /root to be world readable and executable.

For one thing, home directories generally need to be world executable if users are running web sites from a public_html
directory: otherwise, the web server can't get in

(Execute permission on a directory means the ability to access data in it, and get into the immediate child
  directories. Read permission on a directory means the ability to get the list of the names of files stored in that

Users often want to share files with each other on a multiuser system.   If they're working with information that needs to be kept secret, they should of course set the permissions on individual files to read by owner only.

(That way if they want to share something later, when they "open up their home directory" they won't be opening up more than they think to the world)

For the privacy concerned, the best practice is to set a good UMASK that controls default permissions of new files
and directories... it's an option that can be set in the login script, .profile, .tcshrc, .cshrc, etc...  i.e.
 umask 077

077  makes new files mode 600 by default and new directories mode 700 by default, for example
(Since 0777 - 077 = 0700    and  (0700 & 0666) = 0600)

LVL 51

Accepted Solution

ahoffmann earned 50 total points
ID: 11677560
> For one thing, home directories generally need to be world executable if users are running web sites from a public_html directory: otherwise, the web server can't get in

this example just shows a purely/unsecure  configured web server
(rest of explanation is good:)

'cause this is a security TA, I'd sugest 0700 for /home/* and /root
if there is something to share, 0750 for /home/* (but that's unsecure in most cases)

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question