Mailinglist Archive: opensuse (4344 mails)
| < Previous | Next > |
Re: [SLE] more on umask
- From: James Knott <james.knott@xxxxxxxxxx>
- Date: Wed, 24 Aug 2005 16:33:09 -0400
- Message-id: <430CD985.8060804@xxxxxxxxxx>
James Knott wrote:
> Jos van Kan wrote:
>>James Knott wrote:
>>>Jos van Kan wrote:
>>>>I fail to see what this has got to do with security. It completely
>>>>defeats the group idea to give every user its own group. But if you want
>>>>to keep everyone out of your files and directories nothing stops you
>>>>from chmod'ing the lot to y00, y=0..7
>>>
>>>The security problem is that:
>>>
>>>a) Every user is a member of users
>>>b) In the default install, every member of the groug users has access to
>>>the home directory of every other user.
>>>
>>Yes. But that has nothing to do with security. Only if you *allow*
>>rights to the group "users" that group has reading rights. That the
>>default setup allows the group *reading* rights to your documents is
>>just what the group idea is all about. This has nothing to do with
>>security. Nothing prevents you from creating a directory
>>
>>mkdir very_secret_and_personal_documents
>>chmod 700 very_secret_and_personal_documents
>>
>>and no one will be able to even enter that directory.
>>And nothing prevents you from doing
>>chmod -R go -rwx *
>>to disallow all rights to all files and directories except to the user
>>himself.
>
> Why should group members have access to my files by default. If I want
> to stop them I have to change the permissions to my directory.
> Shouldn't it be the other way around, that I'd give them acces, only if
> I wanted them to have it? The way it is right how, it's the same as all
> your neighbours having the same front door key, so that they can wander
> in and look around whenever they want.
>
>
Further on this. What if you were a member of two or more groups.
Should both groups have access to the files of the other groups? If
keep all your group files in your home directory, that will happen.
However, if you're a member of group A and store the group A's files in
a group A directory, then members of group B, who are not also a member
of group A, will not have access. If you want group files etc., create
a group directory. Do not give group members default access to your
home directory.
> Jos van Kan wrote:
>>James Knott wrote:
>>>Jos van Kan wrote:
>>>>I fail to see what this has got to do with security. It completely
>>>>defeats the group idea to give every user its own group. But if you want
>>>>to keep everyone out of your files and directories nothing stops you
>>>>from chmod'ing the lot to y00, y=0..7
>>>
>>>The security problem is that:
>>>
>>>a) Every user is a member of users
>>>b) In the default install, every member of the groug users has access to
>>>the home directory of every other user.
>>>
>>Yes. But that has nothing to do with security. Only if you *allow*
>>rights to the group "users" that group has reading rights. That the
>>default setup allows the group *reading* rights to your documents is
>>just what the group idea is all about. This has nothing to do with
>>security. Nothing prevents you from creating a directory
>>
>>mkdir very_secret_and_personal_documents
>>chmod 700 very_secret_and_personal_documents
>>
>>and no one will be able to even enter that directory.
>>And nothing prevents you from doing
>>chmod -R go -rwx *
>>to disallow all rights to all files and directories except to the user
>>himself.
>
> Why should group members have access to my files by default. If I want
> to stop them I have to change the permissions to my directory.
> Shouldn't it be the other way around, that I'd give them acces, only if
> I wanted them to have it? The way it is right how, it's the same as all
> your neighbours having the same front door key, so that they can wander
> in and look around whenever they want.
>
>
Further on this. What if you were a member of two or more groups.
Should both groups have access to the files of the other groups? If
keep all your group files in your home directory, that will happen.
However, if you're a member of group A and store the group A's files in
a group A directory, then members of group B, who are not also a member
of group A, will not have access. If you want group files etc., create
a group directory. Do not give group members default access to your
home directory.
| < Previous | Next > |