Default permissions on Linux Home Directorys
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
This question ( permissions 755 on /home/<user>/ ) covers off part of my questions but:
Default permissions on a home directory are 755 in many instances. However that lets other users wander into your home folder and look at stuff.
Changing the permissions to 711 ( rwx--x--x) means they can traverse folders but not see anything. This is required if you have authorized_keys for SSH - without it the SSH gives errors when trying to access the system using a public key.
Is there some way to set up the folders / directories so SHH can access authorized_keys, postfix / mail can access files it requires, the system can access config files but without all and sundry walking the system?
I can manually make the folder 711 , set ~/.ssh/authorized_keys as 644 but remembering to do that every time for every config is prone to (my ) mistakes.
I would have thought by default all files were private unless specifically shared but with the two ubuntu boxes (admittedly server boxes) everyone can read all newly created files. That seems a little off as a default setting.
linux permissions home
add a comment |Â
up vote
2
down vote
favorite
This question ( permissions 755 on /home/<user>/ ) covers off part of my questions but:
Default permissions on a home directory are 755 in many instances. However that lets other users wander into your home folder and look at stuff.
Changing the permissions to 711 ( rwx--x--x) means they can traverse folders but not see anything. This is required if you have authorized_keys for SSH - without it the SSH gives errors when trying to access the system using a public key.
Is there some way to set up the folders / directories so SHH can access authorized_keys, postfix / mail can access files it requires, the system can access config files but without all and sundry walking the system?
I can manually make the folder 711 , set ~/.ssh/authorized_keys as 644 but remembering to do that every time for every config is prone to (my ) mistakes.
I would have thought by default all files were private unless specifically shared but with the two ubuntu boxes (admittedly server boxes) everyone can read all newly created files. That seems a little off as a default setting.
linux permissions home
add a comment |Â
up vote
2
down vote
favorite
up vote
2
down vote
favorite
This question ( permissions 755 on /home/<user>/ ) covers off part of my questions but:
Default permissions on a home directory are 755 in many instances. However that lets other users wander into your home folder and look at stuff.
Changing the permissions to 711 ( rwx--x--x) means they can traverse folders but not see anything. This is required if you have authorized_keys for SSH - without it the SSH gives errors when trying to access the system using a public key.
Is there some way to set up the folders / directories so SHH can access authorized_keys, postfix / mail can access files it requires, the system can access config files but without all and sundry walking the system?
I can manually make the folder 711 , set ~/.ssh/authorized_keys as 644 but remembering to do that every time for every config is prone to (my ) mistakes.
I would have thought by default all files were private unless specifically shared but with the two ubuntu boxes (admittedly server boxes) everyone can read all newly created files. That seems a little off as a default setting.
linux permissions home
This question ( permissions 755 on /home/<user>/ ) covers off part of my questions but:
Default permissions on a home directory are 755 in many instances. However that lets other users wander into your home folder and look at stuff.
Changing the permissions to 711 ( rwx--x--x) means they can traverse folders but not see anything. This is required if you have authorized_keys for SSH - without it the SSH gives errors when trying to access the system using a public key.
Is there some way to set up the folders / directories so SHH can access authorized_keys, postfix / mail can access files it requires, the system can access config files but without all and sundry walking the system?
I can manually make the folder 711 , set ~/.ssh/authorized_keys as 644 but remembering to do that every time for every config is prone to (my ) mistakes.
I would have thought by default all files were private unless specifically shared but with the two ubuntu boxes (admittedly server boxes) everyone can read all newly created files. That seems a little off as a default setting.
linux permissions home
linux permissions home
edited Apr 13 '17 at 12:36
Communityâ¦
1
1
asked Oct 12 '16 at 3:14
Shane
1313
1313
add a comment |Â
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
3
down vote
accepted
As noted in the manual by default home folders made with useradd
copy the /etc/skel
folder so if you change it's subfolder rights all users created after in with default useradd will have the desired rights. Same for adduser. Editing "UMASK" in /etc/login.defs will change the rights when creating home folders.
If you want more user security you can encrypt home folders and put ssh keys in /etc/ssh/%u
instead of /home/%u/.ssh/authorized_keys
.
Thank you. Its strange, I've been using Linux server for years but never even considered the skel folder. Seems I had a blind spot in my knowledge. Thank you.
â Shane
Oct 13 '16 at 22:45
Sounds like the most polite RTFM I've ever received :) Thanks. Like i said it is a blind spot - most of my Linux experience is on servers, no requirements for other than root user to access it. I've debugged the most arcane issues with drivers, set up highly secure servers, but never had to deal with multi user access in over 16 years. That's all been handled by Samba, DB access but we don't do ssh, scp, ftp or log on access for users - ever. Until today. TMFR'd ;)
â Shane
Oct 16 '16 at 7:24
I don't see that in the referenced manual, nor does that seem to be the case.
â Teekin
Dec 9 '17 at 20:13
@user1133275, I was trying to solve a different problem, i.e. trying to change the default rights of the newly created home folder itself, not a folder within it, so I misunderstood your answer to say something that it doesn't (and appropriately, it didn't work for me). Your answer makes sense in light of the question. The solution to my problem is editing "UMASK" in /etc/login.defs, in case anyone else is interested.
â Teekin
Dec 15 '17 at 18:11
@user1133275: I downvoted it earlier, but I'd like to upvote it if you clarify that the answer regards folders within /etc/skel. The way it's now, it looks like /etc/skel's rights themselves would be copied to the newly created home folder, which is not the case. I can't upvote unless you edit it, so if you clarify it (and ping me), I'll upvote.
â Teekin
Dec 15 '17 at 18:13
 |Â
show 1 more comment
up vote
0
down vote
How the permissions should be set depend on the overall security policy and the use case. Back in the old days Unix machines were truly multi-user systems with several hundred users logged in concurrently via serial terminals (such as a DEC VT-220). In this scenario your point was an issue - sometimes. Unix was used a lot in academic environments such as universities where security was a lesser concern, at least lesser than seamless collaboration.
Today Unix (esp. in the incarnation Linux) is used as server system, in which case restricting home directories (there won't be too many, anyway) is rather pointless. Or, it is used for the desktop, where there is typically one user, in which case restricting home directories is also rather pointless.
Therefore, from a certain point of view you are right. Yet, it is largely irrelevant for most use cases (especially the single-user case) and their risk profile, and thus, home directory permissions 0755 are as ok as 0700, 0711 or 0777.
Appendix
However, even a single user may have several user accounts, e.g. a default one, one for online banking, and one for generic web surfing etc., such that accounts are used for a kind of sand-boxing. In such cases stricter permissions are in order.
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
3
down vote
accepted
As noted in the manual by default home folders made with useradd
copy the /etc/skel
folder so if you change it's subfolder rights all users created after in with default useradd will have the desired rights. Same for adduser. Editing "UMASK" in /etc/login.defs will change the rights when creating home folders.
If you want more user security you can encrypt home folders and put ssh keys in /etc/ssh/%u
instead of /home/%u/.ssh/authorized_keys
.
Thank you. Its strange, I've been using Linux server for years but never even considered the skel folder. Seems I had a blind spot in my knowledge. Thank you.
â Shane
Oct 13 '16 at 22:45
Sounds like the most polite RTFM I've ever received :) Thanks. Like i said it is a blind spot - most of my Linux experience is on servers, no requirements for other than root user to access it. I've debugged the most arcane issues with drivers, set up highly secure servers, but never had to deal with multi user access in over 16 years. That's all been handled by Samba, DB access but we don't do ssh, scp, ftp or log on access for users - ever. Until today. TMFR'd ;)
â Shane
Oct 16 '16 at 7:24
I don't see that in the referenced manual, nor does that seem to be the case.
â Teekin
Dec 9 '17 at 20:13
@user1133275, I was trying to solve a different problem, i.e. trying to change the default rights of the newly created home folder itself, not a folder within it, so I misunderstood your answer to say something that it doesn't (and appropriately, it didn't work for me). Your answer makes sense in light of the question. The solution to my problem is editing "UMASK" in /etc/login.defs, in case anyone else is interested.
â Teekin
Dec 15 '17 at 18:11
@user1133275: I downvoted it earlier, but I'd like to upvote it if you clarify that the answer regards folders within /etc/skel. The way it's now, it looks like /etc/skel's rights themselves would be copied to the newly created home folder, which is not the case. I can't upvote unless you edit it, so if you clarify it (and ping me), I'll upvote.
â Teekin
Dec 15 '17 at 18:13
 |Â
show 1 more comment
up vote
3
down vote
accepted
As noted in the manual by default home folders made with useradd
copy the /etc/skel
folder so if you change it's subfolder rights all users created after in with default useradd will have the desired rights. Same for adduser. Editing "UMASK" in /etc/login.defs will change the rights when creating home folders.
If you want more user security you can encrypt home folders and put ssh keys in /etc/ssh/%u
instead of /home/%u/.ssh/authorized_keys
.
Thank you. Its strange, I've been using Linux server for years but never even considered the skel folder. Seems I had a blind spot in my knowledge. Thank you.
â Shane
Oct 13 '16 at 22:45
Sounds like the most polite RTFM I've ever received :) Thanks. Like i said it is a blind spot - most of my Linux experience is on servers, no requirements for other than root user to access it. I've debugged the most arcane issues with drivers, set up highly secure servers, but never had to deal with multi user access in over 16 years. That's all been handled by Samba, DB access but we don't do ssh, scp, ftp or log on access for users - ever. Until today. TMFR'd ;)
â Shane
Oct 16 '16 at 7:24
I don't see that in the referenced manual, nor does that seem to be the case.
â Teekin
Dec 9 '17 at 20:13
@user1133275, I was trying to solve a different problem, i.e. trying to change the default rights of the newly created home folder itself, not a folder within it, so I misunderstood your answer to say something that it doesn't (and appropriately, it didn't work for me). Your answer makes sense in light of the question. The solution to my problem is editing "UMASK" in /etc/login.defs, in case anyone else is interested.
â Teekin
Dec 15 '17 at 18:11
@user1133275: I downvoted it earlier, but I'd like to upvote it if you clarify that the answer regards folders within /etc/skel. The way it's now, it looks like /etc/skel's rights themselves would be copied to the newly created home folder, which is not the case. I can't upvote unless you edit it, so if you clarify it (and ping me), I'll upvote.
â Teekin
Dec 15 '17 at 18:13
 |Â
show 1 more comment
up vote
3
down vote
accepted
up vote
3
down vote
accepted
As noted in the manual by default home folders made with useradd
copy the /etc/skel
folder so if you change it's subfolder rights all users created after in with default useradd will have the desired rights. Same for adduser. Editing "UMASK" in /etc/login.defs will change the rights when creating home folders.
If you want more user security you can encrypt home folders and put ssh keys in /etc/ssh/%u
instead of /home/%u/.ssh/authorized_keys
.
As noted in the manual by default home folders made with useradd
copy the /etc/skel
folder so if you change it's subfolder rights all users created after in with default useradd will have the desired rights. Same for adduser. Editing "UMASK" in /etc/login.defs will change the rights when creating home folders.
If you want more user security you can encrypt home folders and put ssh keys in /etc/ssh/%u
instead of /home/%u/.ssh/authorized_keys
.
edited Dec 16 '17 at 13:14
answered Oct 12 '16 at 3:24
user1133275
2,297412
2,297412
Thank you. Its strange, I've been using Linux server for years but never even considered the skel folder. Seems I had a blind spot in my knowledge. Thank you.
â Shane
Oct 13 '16 at 22:45
Sounds like the most polite RTFM I've ever received :) Thanks. Like i said it is a blind spot - most of my Linux experience is on servers, no requirements for other than root user to access it. I've debugged the most arcane issues with drivers, set up highly secure servers, but never had to deal with multi user access in over 16 years. That's all been handled by Samba, DB access but we don't do ssh, scp, ftp or log on access for users - ever. Until today. TMFR'd ;)
â Shane
Oct 16 '16 at 7:24
I don't see that in the referenced manual, nor does that seem to be the case.
â Teekin
Dec 9 '17 at 20:13
@user1133275, I was trying to solve a different problem, i.e. trying to change the default rights of the newly created home folder itself, not a folder within it, so I misunderstood your answer to say something that it doesn't (and appropriately, it didn't work for me). Your answer makes sense in light of the question. The solution to my problem is editing "UMASK" in /etc/login.defs, in case anyone else is interested.
â Teekin
Dec 15 '17 at 18:11
@user1133275: I downvoted it earlier, but I'd like to upvote it if you clarify that the answer regards folders within /etc/skel. The way it's now, it looks like /etc/skel's rights themselves would be copied to the newly created home folder, which is not the case. I can't upvote unless you edit it, so if you clarify it (and ping me), I'll upvote.
â Teekin
Dec 15 '17 at 18:13
 |Â
show 1 more comment
Thank you. Its strange, I've been using Linux server for years but never even considered the skel folder. Seems I had a blind spot in my knowledge. Thank you.
â Shane
Oct 13 '16 at 22:45
Sounds like the most polite RTFM I've ever received :) Thanks. Like i said it is a blind spot - most of my Linux experience is on servers, no requirements for other than root user to access it. I've debugged the most arcane issues with drivers, set up highly secure servers, but never had to deal with multi user access in over 16 years. That's all been handled by Samba, DB access but we don't do ssh, scp, ftp or log on access for users - ever. Until today. TMFR'd ;)
â Shane
Oct 16 '16 at 7:24
I don't see that in the referenced manual, nor does that seem to be the case.
â Teekin
Dec 9 '17 at 20:13
@user1133275, I was trying to solve a different problem, i.e. trying to change the default rights of the newly created home folder itself, not a folder within it, so I misunderstood your answer to say something that it doesn't (and appropriately, it didn't work for me). Your answer makes sense in light of the question. The solution to my problem is editing "UMASK" in /etc/login.defs, in case anyone else is interested.
â Teekin
Dec 15 '17 at 18:11
@user1133275: I downvoted it earlier, but I'd like to upvote it if you clarify that the answer regards folders within /etc/skel. The way it's now, it looks like /etc/skel's rights themselves would be copied to the newly created home folder, which is not the case. I can't upvote unless you edit it, so if you clarify it (and ping me), I'll upvote.
â Teekin
Dec 15 '17 at 18:13
Thank you. Its strange, I've been using Linux server for years but never even considered the skel folder. Seems I had a blind spot in my knowledge. Thank you.
â Shane
Oct 13 '16 at 22:45
Thank you. Its strange, I've been using Linux server for years but never even considered the skel folder. Seems I had a blind spot in my knowledge. Thank you.
â Shane
Oct 13 '16 at 22:45
Sounds like the most polite RTFM I've ever received :) Thanks. Like i said it is a blind spot - most of my Linux experience is on servers, no requirements for other than root user to access it. I've debugged the most arcane issues with drivers, set up highly secure servers, but never had to deal with multi user access in over 16 years. That's all been handled by Samba, DB access but we don't do ssh, scp, ftp or log on access for users - ever. Until today. TMFR'd ;)
â Shane
Oct 16 '16 at 7:24
Sounds like the most polite RTFM I've ever received :) Thanks. Like i said it is a blind spot - most of my Linux experience is on servers, no requirements for other than root user to access it. I've debugged the most arcane issues with drivers, set up highly secure servers, but never had to deal with multi user access in over 16 years. That's all been handled by Samba, DB access but we don't do ssh, scp, ftp or log on access for users - ever. Until today. TMFR'd ;)
â Shane
Oct 16 '16 at 7:24
I don't see that in the referenced manual, nor does that seem to be the case.
â Teekin
Dec 9 '17 at 20:13
I don't see that in the referenced manual, nor does that seem to be the case.
â Teekin
Dec 9 '17 at 20:13
@user1133275, I was trying to solve a different problem, i.e. trying to change the default rights of the newly created home folder itself, not a folder within it, so I misunderstood your answer to say something that it doesn't (and appropriately, it didn't work for me). Your answer makes sense in light of the question. The solution to my problem is editing "UMASK" in /etc/login.defs, in case anyone else is interested.
â Teekin
Dec 15 '17 at 18:11
@user1133275, I was trying to solve a different problem, i.e. trying to change the default rights of the newly created home folder itself, not a folder within it, so I misunderstood your answer to say something that it doesn't (and appropriately, it didn't work for me). Your answer makes sense in light of the question. The solution to my problem is editing "UMASK" in /etc/login.defs, in case anyone else is interested.
â Teekin
Dec 15 '17 at 18:11
@user1133275: I downvoted it earlier, but I'd like to upvote it if you clarify that the answer regards folders within /etc/skel. The way it's now, it looks like /etc/skel's rights themselves would be copied to the newly created home folder, which is not the case. I can't upvote unless you edit it, so if you clarify it (and ping me), I'll upvote.
â Teekin
Dec 15 '17 at 18:13
@user1133275: I downvoted it earlier, but I'd like to upvote it if you clarify that the answer regards folders within /etc/skel. The way it's now, it looks like /etc/skel's rights themselves would be copied to the newly created home folder, which is not the case. I can't upvote unless you edit it, so if you clarify it (and ping me), I'll upvote.
â Teekin
Dec 15 '17 at 18:13
 |Â
show 1 more comment
up vote
0
down vote
How the permissions should be set depend on the overall security policy and the use case. Back in the old days Unix machines were truly multi-user systems with several hundred users logged in concurrently via serial terminals (such as a DEC VT-220). In this scenario your point was an issue - sometimes. Unix was used a lot in academic environments such as universities where security was a lesser concern, at least lesser than seamless collaboration.
Today Unix (esp. in the incarnation Linux) is used as server system, in which case restricting home directories (there won't be too many, anyway) is rather pointless. Or, it is used for the desktop, where there is typically one user, in which case restricting home directories is also rather pointless.
Therefore, from a certain point of view you are right. Yet, it is largely irrelevant for most use cases (especially the single-user case) and their risk profile, and thus, home directory permissions 0755 are as ok as 0700, 0711 or 0777.
Appendix
However, even a single user may have several user accounts, e.g. a default one, one for online banking, and one for generic web surfing etc., such that accounts are used for a kind of sand-boxing. In such cases stricter permissions are in order.
add a comment |Â
up vote
0
down vote
How the permissions should be set depend on the overall security policy and the use case. Back in the old days Unix machines were truly multi-user systems with several hundred users logged in concurrently via serial terminals (such as a DEC VT-220). In this scenario your point was an issue - sometimes. Unix was used a lot in academic environments such as universities where security was a lesser concern, at least lesser than seamless collaboration.
Today Unix (esp. in the incarnation Linux) is used as server system, in which case restricting home directories (there won't be too many, anyway) is rather pointless. Or, it is used for the desktop, where there is typically one user, in which case restricting home directories is also rather pointless.
Therefore, from a certain point of view you are right. Yet, it is largely irrelevant for most use cases (especially the single-user case) and their risk profile, and thus, home directory permissions 0755 are as ok as 0700, 0711 or 0777.
Appendix
However, even a single user may have several user accounts, e.g. a default one, one for online banking, and one for generic web surfing etc., such that accounts are used for a kind of sand-boxing. In such cases stricter permissions are in order.
add a comment |Â
up vote
0
down vote
up vote
0
down vote
How the permissions should be set depend on the overall security policy and the use case. Back in the old days Unix machines were truly multi-user systems with several hundred users logged in concurrently via serial terminals (such as a DEC VT-220). In this scenario your point was an issue - sometimes. Unix was used a lot in academic environments such as universities where security was a lesser concern, at least lesser than seamless collaboration.
Today Unix (esp. in the incarnation Linux) is used as server system, in which case restricting home directories (there won't be too many, anyway) is rather pointless. Or, it is used for the desktop, where there is typically one user, in which case restricting home directories is also rather pointless.
Therefore, from a certain point of view you are right. Yet, it is largely irrelevant for most use cases (especially the single-user case) and their risk profile, and thus, home directory permissions 0755 are as ok as 0700, 0711 or 0777.
Appendix
However, even a single user may have several user accounts, e.g. a default one, one for online banking, and one for generic web surfing etc., such that accounts are used for a kind of sand-boxing. In such cases stricter permissions are in order.
How the permissions should be set depend on the overall security policy and the use case. Back in the old days Unix machines were truly multi-user systems with several hundred users logged in concurrently via serial terminals (such as a DEC VT-220). In this scenario your point was an issue - sometimes. Unix was used a lot in academic environments such as universities where security was a lesser concern, at least lesser than seamless collaboration.
Today Unix (esp. in the incarnation Linux) is used as server system, in which case restricting home directories (there won't be too many, anyway) is rather pointless. Or, it is used for the desktop, where there is typically one user, in which case restricting home directories is also rather pointless.
Therefore, from a certain point of view you are right. Yet, it is largely irrelevant for most use cases (especially the single-user case) and their risk profile, and thus, home directory permissions 0755 are as ok as 0700, 0711 or 0777.
Appendix
However, even a single user may have several user accounts, e.g. a default one, one for online banking, and one for generic web surfing etc., such that accounts are used for a kind of sand-boxing. In such cases stricter permissions are in order.
answered Oct 26 '16 at 10:07
countermode
5,07841943
5,07841943
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f315799%2fdefault-permissions-on-linux-home-directorys%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password