Solved

[Debian v3.0 r2] /root & /home/* are worldreadable?!

Posted on 2004-07-30
2
236 Views
Last Modified: 2010-04-22
Hi,
I just want to know if the following is a bug in Debian:

I checked the default (out of the box) permissions of my freshly installed Debian 3.0 r2 installation and found that all directories under /home and the /root are world-readable and world-executable.

Is this normal?

Because I was used to RedHat 8 and all default permissions were 0750 over there...
0
Comment
Question by:dplus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 23

Expert Comment

by:Mysidia
ID: 11677464
It's completely normal, and is the default for home directories and /root to be world readable and executable.

For one thing, home directories generally need to be world executable if users are running web sites from a public_html
directory: otherwise, the web server can't get in

(Execute permission on a directory means the ability to access data in it, and get into the immediate child
  directories. Read permission on a directory means the ability to get the list of the names of files stored in that
  directory.)

Users often want to share files with each other on a multiuser system.   If they're working with information that needs to be kept secret, they should of course set the permissions on individual files to read by owner only.

(That way if they want to share something later, when they "open up their home directory" they won't be opening up more than they think to the world)

For the privacy concerned, the best practice is to set a good UMASK that controls default permissions of new files
and directories... it's an option that can be set in the login script, .profile, .tcshrc, .cshrc, etc...  i.e.
 umask 077

077  makes new files mode 600 by default and new directories mode 700 by default, for example
(Since 0777 - 077 = 0700    and  (0700 & 0666) = 0600)


0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 50 total points
ID: 11677560
> For one thing, home directories generally need to be world executable if users are running web sites from a public_html directory: otherwise, the web server can't get in

NO, NO
this example just shows a purely/unsecure  configured web server
(rest of explanation is good:)

'cause this is a security TA, I'd sugest 0700 for /home/* and /root
if there is something to share, 0750 for /home/* (but that's unsecure in most cases)
0

Featured Post

[Webinar] Code, Load, and Grow

Managing multiple websites, servers, applications, and security on a daily basis? Join us for a webinar on May 25th to learn how to simplify administration and management of virtual hosts for IT admins, create a secure environment, and deploy code more effectively and frequently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Fine Tune your automatic Updates for Ubuntu / Debian
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question