Solved

[Debian v3.0 r2] /root & /home/* are worldreadable?!

Posted on 2004-07-30
2
231 Views
Last Modified: 2010-04-22
Hi,
I just want to know if the following is a bug in Debian:

I checked the default (out of the box) permissions of my freshly installed Debian 3.0 r2 installation and found that all directories under /home and the /root are world-readable and world-executable.

Is this normal?

Because I was used to RedHat 8 and all default permissions were 0750 over there...
0
Comment
Question by:dplus
2 Comments
 
LVL 23

Expert Comment

by:Mysidia
Comment Utility
It's completely normal, and is the default for home directories and /root to be world readable and executable.

For one thing, home directories generally need to be world executable if users are running web sites from a public_html
directory: otherwise, the web server can't get in

(Execute permission on a directory means the ability to access data in it, and get into the immediate child
  directories. Read permission on a directory means the ability to get the list of the names of files stored in that
  directory.)

Users often want to share files with each other on a multiuser system.   If they're working with information that needs to be kept secret, they should of course set the permissions on individual files to read by owner only.

(That way if they want to share something later, when they "open up their home directory" they won't be opening up more than they think to the world)

For the privacy concerned, the best practice is to set a good UMASK that controls default permissions of new files
and directories... it's an option that can be set in the login script, .profile, .tcshrc, .cshrc, etc...  i.e.
 umask 077

077  makes new files mode 600 by default and new directories mode 700 by default, for example
(Since 0777 - 077 = 0700    and  (0700 & 0666) = 0600)


0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 50 total points
Comment Utility
> For one thing, home directories generally need to be world executable if users are running web sites from a public_html directory: otherwise, the web server can't get in

NO, NO
this example just shows a purely/unsecure  configured web server
(rest of explanation is good:)

'cause this is a security TA, I'd sugest 0700 for /home/* and /root
if there is something to share, 0750 for /home/* (but that's unsecure in most cases)
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now