On 07/08/2014 09:21 AM, jdd wrote:
Le 08/07/2014 15:09, Anton Aylward a écrit :
On 07/07/2014 04:00 PM, Dirk Gently wrote:
A lot of organizations using Linux or Unix would come to a screeching halt if the default permissions for home directories were drwx------.
there is a yast/users and security/security center that should give all
NOT! You forget, baseline UNIX/Linux only implements DAC - DISCRETIONARY access control, not MAC - MANDATORY access control. That is why enterprise grade implementations from the 'Big Vendors' such as SUN, IBM and HP, layered more comprehensive access control management systems -- usually resembling RBAC in some way - on top of their implementations of UNIX. The 'ugo'/'rwx' model of UNIX form the 1970s was a KISS view of things. One glaring omission in the permissions vector, for example, is who has the ability to modify the file status. There is the implicit assumption that if you own the file you can do anything with it. Including 'give it away'. The example ~ being rwx------ for example, makes little sense since since the user owns that and can modify that permissions. There is no way to implement a MANDATORY restriction. Taking away the user's ownership stops them modify the permissions but it also stops them creating new files and directories in their home directory. Well, perhaps they shouldn't be doing that :-) One way around this is to have a group for each user and the user being the only member of that group: $ grep anton /etc/group .... anton:x:1001:anton .... and having $ ls -ld ~anton drwxdrwx---- 1 root anton 3454 Jul 8 09:20 /home/anton It not perfect for any situation, but it offers some alternatives. -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org