Feature changed by: Pascal Bleser (pbleser) Feature #306645, revision 6 Title: Secure home directory permissions by default openSUSE-11.2: Unconfirmed Priority Requester: Desirable Requested by: Jan Engelhardt (jengelh) Description: Also see https://bugzilla.novell.com/show_bug.cgi?id=518550 . The default for home directories is 0755 (umask 022 in login.defs), and here's the fate entry to change it to 0711 (umask 066). Discussion: #1: Karl Eichwalder (keichwa) (2009-07-04 06:55:24) GNU/Linux is still Un*x and it is about cooperation. Besides this, avery default is arguable as Thorsten pointed out in the referenced bug entry. It ain't use changing it. On sensible systems, better encrypt home directories. Maybe, we should consider improving help texts and documentation if all this is not obvious to the user. #2: Jan Engelhardt (jengelh) (2009-07-04 18:01:50) (reply to #1) What on earth does home directory encryption bring you if the volume is mounted anyway. + #3: Pascal Bleser (pbleser) (2009-07-04 21:34:44) + Well, yes, it's a matter of taste. + But nevertheless, what advantage is there from having public-readable + home directories ? + I think it's simply a conflict between two use cases: + 1) a server where many users access each other's files that are in + their respective homes, e.g. sources of software development projects + 2) a workstation that is potentially used by several people, each + having their account, and where files under each user's home should not + be accessible to others by default + The only issue with changing 0755 to 0711 is ~/public_html An even + better solution could be to + * create a dedicated group, e.g. "home" + * put the user "www" into that group + * change /etc/skel to root:home and 0750 + * change /etc/skel/public_html to root:wwwrun and 0750 + Making it configurable could be done by having several home templates + (skels), e.g. /etc/skel.open or /etc/skel.restricted , and then change + the value of the variable SKEL in /etc/default/useradd through the + YaST2 security settings module. + "it is about cooperation" - one could similarily argue that it is about + security. -- openSUSE Feature: https://features.opensuse.org/306645