Do group/other permissions matter for personal files on a single user laptop?
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
Short version: By, default my umask is 0022, and my personal files thus mostly have rw-r--r--. With respect to security, what specific changes to this is recommended on a single-login laptop?
Long version: When UNIX was designed as a multi-user system, group/other permissions would definitely matter, not to let other long-haired tech pioneers peek into your home directory and such.
However, on a single-login laptop, does umask/group/other permissions for your own personal files matter at all? I imagine that for this to matter, someone would have to have physical access or a trojan into your machine, in which case all bets are off anyway.
Maybe it would feel better / more like the olden days with go-rwx in $HOME, but I read somewhere that you shouldn't change umask unless you really know what you're doing, which I might not do.
Should I just trust my default OS behaviour and care less about permissions for my personal files? Or are there some best practice settings I always apply every time I start using a new machine?
permissions security
asked Mar 23 at 9:41
forthrin
800821
add a comment |Â
up vote
0
down vote
favorite
Short version: By, default my umask is 0022, and my personal files thus mostly have rw-r--r--. With respect to security, what specific changes to this is recommended on a single-login laptop?
Long version: When UNIX was designed as a multi-user system, group/other permissions would definitely matter, not to let other long-haired tech pioneers peek into your home directory and such.
However, on a single-login laptop, does umask/group/other permissions for your own personal files matter at all? I imagine that for this to matter, someone would have to have physical access or a trojan into your machine, in which case all bets are off anyway.
Maybe it would feel better / more like the olden days with go-rwx in $HOME, but I read somewhere that you shouldn't change umask unless you really know what you're doing, which I might not do.
Should I just trust my default OS behaviour and care less about permissions for my personal files? Or are there some best practice settings I always apply every time I start using a new machine?
permissions security
asked Mar 23 at 9:41
forthrin
800821
2
Even if your laptop only has one human user, it likely has a number of system accounts for various services. Properly managing your own file permissions will make it less likely that one of those accounts can be used to access your files (e.g. through a bug in a non-root-owned service).
– Kusalananda
Mar 23 at 9:50
You mean services like mail servers, web servers, etc.? I can see how that could make sense, but most regular apps and utilities you get from package systems you run as yourself, and then they automatically have access to all files owned by you anyway, don't they?
– forthrin
Mar 23 at 10:04
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
Short version: By, default my umask is 0022, and my personal files thus mostly have rw-r--r--. With respect to security, what specific changes to this is recommended on a single-login laptop?
Long version: When UNIX was designed as a multi-user system, group/other permissions would definitely matter, not to let other long-haired tech pioneers peek into your home directory and such.
However, on a single-login laptop, does umask/group/other permissions for your own personal files matter at all? I imagine that for this to matter, someone would have to have physical access or a trojan into your machine, in which case all bets are off anyway.
Maybe it would feel better / more like the olden days with go-rwx in $HOME, but I read somewhere that you shouldn't change umask unless you really know what you're doing, which I might not do.
Should I just trust my default OS behaviour and care less about permissions for my personal files? Or are there some best practice settings I always apply every time I start using a new machine?
permissions security
asked Mar 23 at 9:41
forthrin
800821
Short version: By, default my umask is 0022, and my personal files thus mostly have rw-r--r--. With respect to security, what specific changes to this is recommended on a single-login laptop?
Long version: When UNIX was designed as a multi-user system, group/other permissions would definitely matter, not to let other long-haired tech pioneers peek into your home directory and such.
However, on a single-login laptop, does umask/group/other permissions for your own personal files matter at all? I imagine that for this to matter, someone would have to have physical access or a trojan into your machine, in which case all bets are off anyway.
Maybe it would feel better / more like the olden days with go-rwx in $HOME, but I read somewhere that you shouldn't change umask unless you really know what you're doing, which I might not do.
Should I just trust my default OS behaviour and care less about permissions for my personal files? Or are there some best practice settings I always apply every time I start using a new machine?
permissions security
asked Mar 23 at 9:41
forthrin
800821
edited Mar 23 at 11:49
asked Mar 23 at 9:41
forthrin
800821
asked Mar 23 at 9:41
forthrin
800821
asked Mar 23 at 9:41
forthrin
800821
800821
2
Even if your laptop only has one human user, it likely has a number of system accounts for various services. Properly managing your own file permissions will make it less likely that one of those accounts can be used to access your files (e.g. through a bug in a non-root-owned service).
– Kusalananda
Mar 23 at 9:50
You mean services like mail servers, web servers, etc.? I can see how that could make sense, but most regular apps and utilities you get from package systems you run as yourself, and then they automatically have access to all files owned by you anyway, don't they?
– forthrin
Mar 23 at 10:04
add a comment |Â
2
Even if your laptop only has one human user, it likely has a number of system accounts for various services. Properly managing your own file permissions will make it less likely that one of those accounts can be used to access your files (e.g. through a bug in a non-root-owned service).
– Kusalananda
Mar 23 at 9:50
You mean services like mail servers, web servers, etc.? I can see how that could make sense, but most regular apps and utilities you get from package systems you run as yourself, and then they automatically have access to all files owned by you anyway, don't they?
– forthrin
Mar 23 at 10:04
2
2
Even if your laptop only has one human user, it likely has a number of system accounts for various services. Properly managing your own file permissions will make it less likely that one of those accounts can be used to access your files (e.g. through a bug in a non-root-owned service).
– Kusalananda
Mar 23 at 9:50
Even if your laptop only has one human user, it likely has a number of system accounts for various services. Properly managing your own file permissions will make it less likely that one of those accounts can be used to access your files (e.g. through a bug in a non-root-owned service).
– Kusalananda
Mar 23 at 9:50
You mean services like mail servers, web servers, etc.? I can see how that could make sense, but most regular apps and utilities you get from package systems you run as yourself, and then they automatically have access to all files owned by you anyway, don't they?
– forthrin
Mar 23 at 10:04
You mean services like mail servers, web servers, etc.? I can see how that could make sense, but most regular apps and utilities you get from package systems you run as yourself, and then they automatically have access to all files owned by you anyway, don't they?
– forthrin
Mar 23 at 10:04
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
4
down vote
As Kusalananda says, your laptop has many non-human accounts which are used for a variety of purposes; you can see that in action by running
ps -f -N -u root -u $(whoami)
(which will show detailed information about all processes which aren’t running as root or you).
You’ll see there quite a few processes which share one common feature: they are externally accessible in one way or another. On a typical laptop, officially running no server processes, this will include tasks like the login screen, your VPN if you have one, any DNS helpers (Avahi etc.)... Running these as different users gives you some protection from external attacks, because compromising them doesn’t immediately endanger your files, as long as your files have the appropriate permissions.
User permissions on a single-human-user system become even more relevant once you do start running “official†servers (a web server, print server...), or if you start using multiple user accounts to segregate potentially risky use cases (browsing with Flash, running games via Steam...).
However security is always a matter of compromise, and no one can recommend a best practice for you without knowing your specific work patterns, what data you care about, and what attack scenarios you want to protect against. In that general context, the common 0022 umask is a sensible default (it prevents others from overwriting or deleting your files, but system services running as system users can still read your files).
answered Mar 23 at 10:18
Stephen Kitt
141k22307367
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
4
down vote
As Kusalananda says, your laptop has many non-human accounts which are used for a variety of purposes; you can see that in action by running
ps -f -N -u root -u $(whoami)
(which will show detailed information about all processes which aren’t running as root or you).
You’ll see there quite a few processes which share one common feature: they are externally accessible in one way or another. On a typical laptop, officially running no server processes, this will include tasks like the login screen, your VPN if you have one, any DNS helpers (Avahi etc.)... Running these as different users gives you some protection from external attacks, because compromising them doesn’t immediately endanger your files, as long as your files have the appropriate permissions.
User permissions on a single-human-user system become even more relevant once you do start running “official†servers (a web server, print server...), or if you start using multiple user accounts to segregate potentially risky use cases (browsing with Flash, running games via Steam...).
However security is always a matter of compromise, and no one can recommend a best practice for you without knowing your specific work patterns, what data you care about, and what attack scenarios you want to protect against. In that general context, the common 0022 umask is a sensible default (it prevents others from overwriting or deleting your files, but system services running as system users can still read your files).
answered Mar 23 at 10:18
Stephen Kitt
141k22307367
add a comment |Â
up vote
4
down vote
As Kusalananda says, your laptop has many non-human accounts which are used for a variety of purposes; you can see that in action by running
ps -f -N -u root -u $(whoami)
(which will show detailed information about all processes which aren’t running as root or you).
You’ll see there quite a few processes which share one common feature: they are externally accessible in one way or another. On a typical laptop, officially running no server processes, this will include tasks like the login screen, your VPN if you have one, any DNS helpers (Avahi etc.)... Running these as different users gives you some protection from external attacks, because compromising them doesn’t immediately endanger your files, as long as your files have the appropriate permissions.
User permissions on a single-human-user system become even more relevant once you do start running “official†servers (a web server, print server...), or if you start using multiple user accounts to segregate potentially risky use cases (browsing with Flash, running games via Steam...).
However security is always a matter of compromise, and no one can recommend a best practice for you without knowing your specific work patterns, what data you care about, and what attack scenarios you want to protect against. In that general context, the common 0022 umask is a sensible default (it prevents others from overwriting or deleting your files, but system services running as system users can still read your files).
answered Mar 23 at 10:18
Stephen Kitt
141k22307367
add a comment |Â
up vote
4
down vote
up vote
4
down vote
As Kusalananda says, your laptop has many non-human accounts which are used for a variety of purposes; you can see that in action by running
ps -f -N -u root -u $(whoami)
(which will show detailed information about all processes which aren’t running as root or you).
You’ll see there quite a few processes which share one common feature: they are externally accessible in one way or another. On a typical laptop, officially running no server processes, this will include tasks like the login screen, your VPN if you have one, any DNS helpers (Avahi etc.)... Running these as different users gives you some protection from external attacks, because compromising them doesn’t immediately endanger your files, as long as your files have the appropriate permissions.
User permissions on a single-human-user system become even more relevant once you do start running “official†servers (a web server, print server...), or if you start using multiple user accounts to segregate potentially risky use cases (browsing with Flash, running games via Steam...).
However security is always a matter of compromise, and no one can recommend a best practice for you without knowing your specific work patterns, what data you care about, and what attack scenarios you want to protect against. In that general context, the common 0022 umask is a sensible default (it prevents others from overwriting or deleting your files, but system services running as system users can still read your files).
answered Mar 23 at 10:18
Stephen Kitt
141k22307367
As Kusalananda says, your laptop has many non-human accounts which are used for a variety of purposes; you can see that in action by running
ps -f -N -u root -u $(whoami)
(which will show detailed information about all processes which aren’t running as root or you).
You’ll see there quite a few processes which share one common feature: they are externally accessible in one way or another. On a typical laptop, officially running no server processes, this will include tasks like the login screen, your VPN if you have one, any DNS helpers (Avahi etc.)... Running these as different users gives you some protection from external attacks, because compromising them doesn’t immediately endanger your files, as long as your files have the appropriate permissions.
User permissions on a single-human-user system become even more relevant once you do start running “official†servers (a web server, print server...), or if you start using multiple user accounts to segregate potentially risky use cases (browsing with Flash, running games via Steam...).
However security is always a matter of compromise, and no one can recommend a best practice for you without knowing your specific work patterns, what data you care about, and what attack scenarios you want to protect against. In that general context, the common 0022 umask is a sensible default (it prevents others from overwriting or deleting your files, but system services running as system users can still read your files).
answered Mar 23 at 10:18
Stephen Kitt
141k22307367
answered Mar 23 at 10:18
Stephen Kitt
141k22307367
answered Mar 23 at 10:18
Stephen Kitt
141k22307367
answered Mar 23 at 10:18
Stephen Kitt
141k22307367
141k22307367
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f433027%2fdo-group-other-permissions-matter-for-personal-files-on-a-single-user-laptop%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
2
Even if your laptop only has one human user, it likely has a number of system accounts for various services. Properly managing your own file permissions will make it less likely that one of those accounts can be used to access your files (e.g. through a bug in a non-root-owned service).
– Kusalananda
Mar 23 at 9:50
You mean services like mail servers, web servers, etc.? I can see how that could make sense, but most regular apps and utilities you get from package systems you run as yourself, and then they automatically have access to all files owned by you anyway, don't they?
– forthrin
Mar 23 at 10:04