On Mon, 10 Mar 2003, Johannes Berth wrote:
> You don't have to make your $HOME world readable, just world executable.
[...]
> With 711 on your $HOME and secure chmods on your files nobody will be
> able to see files you don't want them to see.
... but there's still no reason to place "public html"
On Mon, 10 Mar 2003, Johannes Berth wrote:
> You don't have to make your $HOME world readable, just world executable.
[...]
> With 711 on your $HOME and secure chmods on your files nobody will be
> able to see files you don't want them to see.
... but there's still no reason to place "public html"
* Thomas Sjögren <[EMAIL PROTECTED]>:
[ WWW pages in /var rather than in /home/user/public_html ]
> With this solution there is no need to make home dirs world readable,
You don't have to make your $HOME world readable, just world executable.
> thus you're able to set 700 on their homes which,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I'd like to cast a vote for more restrictive permisions as well
Access to files & directories should be as restrictive as possible
out of the box. If a user or 3rd party app need more access to any
given area I'll give it as long as it doesn't break th
On Monday 10 March 2003 15.19, Rob VanFleet wrote:
> > No they don't.
> > You shouldn't place user websites in their home dirs. Place the
> > user "webspace" in e.g /var/www/[user] and symlink from
> > public_html or whatever.
>
> ..and this makes a difference how...? I'm not necessarily trying t
On Sat, Mar 08, 2003 at 08:16:38PM +0100, Thomas Sj?gren wrote:
> On Sat, 8 Mar 2003, Birzan George Cristian wrote:
>
> > > It should be locked down and not touched by adduser ("Would You Like To
> > > Make All Homedirs World-Readable?").
> > root is not the regular user. Users need o+x on their h
* Thomas Sjögren <[EMAIL PROTECTED]>:
[ WWW pages in /var rather than in /home/user/public_html ]
> With this solution there is no need to make home dirs world readable,
You don't have to make your $HOME world readable, just world executable.
> thus you're able to set 700 on their homes which,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I'd like to cast a vote for more restrictive permisions as well
Access to files & directories should be as restrictive as possible
out of the box. If a user or 3rd party app need more access to any
given area I'll give it as long as it doesn't break th
On Monday 10 March 2003 15.19, Rob VanFleet wrote:
> > No they don't.
> > You shouldn't place user websites in their home dirs. Place the
> > user "webspace" in e.g /var/www/[user] and symlink from
> > public_html or whatever.
>
> ..and this makes a difference how...? I'm not necessarily trying t
On Sat, Mar 08, 2003 at 08:16:38PM +0100, Thomas Sj?gren wrote:
> On Sat, 8 Mar 2003, Birzan George Cristian wrote:
>
> > > It should be locked down and not touched by adduser ("Would You Like To
> > > Make All Homedirs World-Readable?").
> > root is not the regular user. Users need o+x on their h
Christian Jaeger <[EMAIL PROTECTED]> writes:
> At 23:29 Uhr +0100 08.03.2003, Olaf Dietsche wrote:
>>Christian Jaeger <[EMAIL PROTECTED]> writes:
>>
>> > I began working with (unix/)linux.) And as written in my other reply
>> > I'm still missing a better alternative to
>> > /root/bin. "/local-
At 23:29 Uhr +0100 08.03.2003, Olaf Dietsche wrote:
Christian Jaeger <[EMAIL PROTECTED]> writes:
> I began working with (unix/)linux.) And as written in my other reply
> I'm still missing a better alternative to
> /root/bin. "/local-admin's-software/bin" maybe? AFAIK, the FHS does
> not pro
Christian Jaeger <[EMAIL PROTECTED]> writes:
> At 23:29 Uhr +0100 08.03.2003, Olaf Dietsche wrote:
>>Christian Jaeger <[EMAIL PROTECTED]> writes:
>>
>> > I began working with (unix/)linux.) And as written in my other reply
>> > I'm still missing a better alternative to
>> > /root/bin. "/local-
At 23:29 Uhr +0100 08.03.2003, Olaf Dietsche wrote:
Christian Jaeger <[EMAIL PROTECTED]> writes:
> I began working with (unix/)linux.) And as written in my other reply
> I'm still missing a better alternative to
> /root/bin. "/local-admin's-software/bin" maybe? AFAIK, the FHS does
> not provi
Christian Jaeger <[EMAIL PROTECTED]> writes:
> I began working with (unix/)linux.) And as written in my other reply
> I'm still missing a better alternative to
> /root/bin. "/local-admin's-software/bin" maybe? AFAIK, the FHS does
> not provide any.
Maybe /usr/local/sbin is, what you're looking f
At 20:23 Uhr +0100 08.03.2003, Stefan Neufeind wrote:
On 8 Mar 2003 at 17:40, Christian Jaeger wrote:
At 13:02 Uhr +0200 08.03.2003, Birzan George Cristian wrote:
- You should also be aware that a 0700 directory does not protect you
if you are moving another directory from outside to inside,
Christian Jaeger <[EMAIL PROTECTED]> writes:
> I began working with (unix/)linux.) And as written in my other reply
> I'm still missing a better alternative to
> /root/bin. "/local-admin's-software/bin" maybe? AFAIK, the FHS does
> not provide any.
Maybe /usr/local/sbin is, what you're looking f
On Sat, Mar 08, 2003 at 08:16:38PM +0100, Thomas Sj?gren wrote:
> > root is not the regular user. Users need o+x on their home dirs for
> > Apache to be able to serve pages.
>
> No they don't.
> You shouldn't place user websites in their home dirs. Place the user
> "webspace" in e.g /var/www/[use
On Sat, Mar 08, 2003 at 08:07:51PM +0100, Christian Jaeger wrote:
> Isn't it the same as for any user account? If that user (who maybe
> shares his account with other people) wants his home dir private, he
> can do so. Or create a subdir which is private(*). I just see no
Typical user accounts
[EMAIL PROTECTED] wrote:
> how about offering it as an installation option?
> * /root/ permission
> some say 755 because ...
> others
> 700 because ...
> please select [700 | 750 | 755]
>
> or whatever options seem sensible...
Because it's unnecessary. Installation is already too cluttered with
Hi list,
> Birzan George Cristian wrote:
>
> > First of all, I'd like to say that, yes, I know this was discussed
> > before, but no consensus was reached and the thread died. (Or at least,
> > the one I found by doing a quick Google search)
>
> No consensus was reached because none was possible
On 8 Mar 2003 at 17:40, Christian Jaeger wrote:
> At 13:02 Uhr +0200 08.03.2003, Birzan George Cristian wrote:
> - You should also be aware that a 0700 directory does not protect you
> if you are moving another directory from outside to inside, since
> users who have already chdir'd into it remain
On Sat, Mar 08, 2003 at 10:58:10AM -0800, Ted Parvu wrote:
> Why would you want this changed but be ok with, unless I changed mine
> somewhere and forgot, a default root umask of 0022 ?
Because I haven't, yet, seen a box that came, by default, with a
different umask. Again, for me it's about the p
On Sat, 8 Mar 2003, Birzan George Cristian wrote:
> > It should be locked down and not touched by adduser ("Would You Like To
> > Make All Homedirs World-Readable?").
> root is not the regular user. Users need o+x on their home dirs for
> Apache to be able to serve pages.
No they don't.
You shoul
At 17:47 Uhr + 08.03.2003, Dale Amon wrote:
When you have multiple people, working over long
periods of time (years), with varying stress
conditions, there will at some point be mistakes
made. That's why defense in depth is so important.
The more layers of protection you can place the
more li
At 20:23 Uhr +0100 08.03.2003, Stefan Neufeind wrote:
On 8 Mar 2003 at 17:40, Christian Jaeger wrote:
At 13:02 Uhr +0200 08.03.2003, Birzan George Cristian wrote:
- You should also be aware that a 0700 directory does not protect you
if you are moving another directory from outside to inside, si
On Sat, Mar 08, 2003 at 07:19:44PM +0100, Christian Jaeger wrote:
> Call me paranoid:)
Yes, but if you're so paranoid, why not add another layer of protection,
by making /root/ 700?
> I meant, if /root is world-readable, then you can still make a
> subdirectory which is not (i.e. I have a /root
On Sat, Mar 08, 2003 at 06:09:08PM +0200, Birzan George Cristian wrote:
>
> The fact that it shouldn't be used for storing any dangerous information
> doesn't mean it's not being used for that. What I am asking, in case my
> original mail wasn't clear enough, is why _shouldn't_ it be 750 or 700
>
On Sat, Mar 08, 2003 at 08:16:38PM +0100, Thomas Sj?gren wrote:
> > root is not the regular user. Users need o+x on their home dirs for
> > Apache to be able to serve pages.
>
> No they don't.
> You shouldn't place user websites in their home dirs. Place the user
> "webspace" in e.g /var/www/[use
On Sat, Mar 08, 2003 at 08:07:51PM +0100, Christian Jaeger wrote:
> Isn't it the same as for any user account? If that user (who maybe
> shares his account with other people) wants his home dir private, he
> can do so. Or create a subdir which is private(*). I just see no
Typical user accounts
[EMAIL PROTECTED] wrote:
> how about offering it as an installation option?
> * /root/ permission
> some say 755 because ...
> others
> 700 because ...
> please select [700 | 750 | 755]
>
> or whatever options seem sensible...
Because it's unnecessary. Installation is already too cluttered with
At 19:23 Uhr +0200 08.03.2003, Birzan George Cristian wrote:
On Sat, Mar 08, 2003 at 05:40:31PM +0100, Christian Jaeger wrote:
- You should also be aware that a 0700 directory does not protect you
if you are moving another directory from outside to inside, since
users who have already chdir'd
Hi list,
> Birzan George Cristian wrote:
>
> > First of all, I'd like to say that, yes, I know this was discussed
> > before, but no consensus was reached and the thread died. (Or at least,
> > the one I found by doing a quick Google search)
>
> No consensus was reached because none was possible
On Sat, Mar 08, 2003 at 07:12:13PM +0200, Birzan George Cristian wrote:
> I've talked with several other friends, and most of them (5 to 1),
> agreed that /root/ shouldn't be 755, but something more restrictive.
I'm in agreement as well. I use /root as a common
communication area among admin staff
On 8 Mar 2003 at 17:40, Christian Jaeger wrote:
> At 13:02 Uhr +0200 08.03.2003, Birzan George Cristian wrote:
> - You should also be aware that a 0700 directory does not protect you
> if you are moving another directory from outside to inside, since
> users who have already chdir'd into it remain
On Sat, Mar 08, 2003 at 10:58:10AM -0800, Ted Parvu wrote:
> Why would you want this changed but be ok with, unless I changed mine
> somewhere and forgot, a default root umask of 0022 ?
Because I haven't, yet, seen a box that came, by default, with a
different umask. Again, for me it's about the p
On Sat, Mar 08, 2003 at 05:40:31PM +0100, Christian Jaeger wrote:
> - You should also be aware that a 0700 directory does not protect you
> if you are moving another directory from outside to inside, since
> users who have already chdir'd into it remain inside it.
Yes, but how often does that ha
On Sat, 8 Mar 2003, Birzan George Cristian wrote:
> > It should be locked down and not touched by adduser ("Would You Like To
> > Make All Homedirs World-Readable?").
> root is not the regular user. Users need o+x on their home dirs for
> Apache to be able to serve pages.
No they don't.
You shoul
On Sat, Mar 08, 2003 at 08:05:26AM -0800, Craig Dickson wrote:
> But in the course of doing things that you have to do as root, when do
> you need to create files in /root? Almost never. If you find that you
> are using /root frequently, then I would guess that you are doing things
> as root that n
At 17:47 Uhr + 08.03.2003, Dale Amon wrote:
When you have multiple people, working over long
periods of time (years), with varying stress
conditions, there will at some point be mistakes
made. That's why defense in depth is so important.
The more layers of protection you can place the
more like
On Sat, Mar 08, 2003 at 07:19:44PM +0100, Christian Jaeger wrote:
> Call me paranoid:)
Yes, but if you're so paranoid, why not add another layer of protection,
by making /root/ 700?
> I meant, if /root is world-readable, then you can still make a
> subdirectory which is not (i.e. I have a /root
On Sat, Mar 08, 2003 at 06:09:08PM +0200, Birzan George Cristian wrote:
>
> The fact that it shouldn't be used for storing any dangerous information
> doesn't mean it's not being used for that. What I am asking, in case my
> original mail wasn't clear enough, is why _shouldn't_ it be 750 or 700
>
At 13:02 Uhr +0200 08.03.2003, Birzan George Cristian wrote:
the moment, are 755. IMHO, this is a possible security problem
- Why is this a "possible security problem"? It looks like you are
not aware that you should always and anyways (regardless of whether
you're root at the moment or not)
Birzan George Cristian wrote:
> The fact that it shouldn't be used for storing any dangerous information
> doesn't mean it's not being used for that.
If it shouldn't be used so, but it is being used so on a particular
machine, then that machine's admin is at fault.
> What I am asking, in case my
At 19:23 Uhr +0200 08.03.2003, Birzan George Cristian wrote:
On Sat, Mar 08, 2003 at 05:40:31PM +0100, Christian Jaeger wrote:
- You should also be aware that a 0700 directory does not protect you
if you are moving another directory from outside to inside, since
users who have already chdir'd in
Birzan George Cristian wrote:
> First of all, I'd like to say that, yes, I know this was discussed
> before, but no consensus was reached and the thread died. (Or at least,
> the one I found by doing a quick Google search)
No consensus was reached because none was possible.
> Back to the issue a
Please configure your mail client to a) wrap at 80 columns and b) set
In-Reply-To:
On Sat, Mar 08, 2003 at 04:13:43PM +0100, I.R. van Dongen wrote:
>
> Personally, I don't beleave /root should be used for any information that
> is 'dangerous' I personally use it sometimes for temp storage for .de
Sigh. I specifically said use the original CC: and reply to the list, not
reply to the list and CC:.
On Sat, Mar 08, 2003 at 07:37:53AM -0500, bda wrote:
> On Sat, Mar 08, 2003 at 01:02:13PM +0200, Birzan George Cristian wrote:
> > Back to the issue at hand, the default permissions on /root/, whic
On Sat, Mar 08, 2003 at 07:12:13PM +0200, Birzan George Cristian wrote:
> I've talked with several other friends, and most of them (5 to 1),
> agreed that /root/ shouldn't be 755, but something more restrictive.
I'm in agreement as well. I use /root as a common
communication area among admin staff
On Sat, Mar 08, 2003 at 05:40:31PM +0100, Christian Jaeger wrote:
> - You should also be aware that a 0700 directory does not protect you
> if you are moving another directory from outside to inside, since
> users who have already chdir'd into it remain inside it.
Yes, but how often does that ha
Personally, I don't beleave /root should be used for any information that is
'dangerous' I personally use it sometimes for temp storage for .debs and such,
before I move them to /usr/src.
Therefor I don't really care what the default permissions are for /root.
the files that need to be there (
On Sat, Mar 08, 2003 at 08:05:26AM -0800, Craig Dickson wrote:
> But in the course of doing things that you have to do as root, when do
> you need to create files in /root? Almost never. If you find that you
> are using /root frequently, then I would guess that you are doing things
> as root that n
At 13:02 Uhr +0200 08.03.2003, Birzan George Cristian wrote:
the moment, are 755. IMHO, this is a possible security problem
- Why is this a "possible security problem"? It looks like you are
not aware that you should always and anyways (regardless of whether
you're root at the moment or not) take
Birzan George Cristian wrote:
> The fact that it shouldn't be used for storing any dangerous information
> doesn't mean it's not being used for that.
If it shouldn't be used so, but it is being used so on a particular
machine, then that machine's admin is at fault.
> What I am asking, in case my
On Sat, Mar 08, 2003 at 01:44:24PM +, Dale Amon wrote:
> On Sat, Mar 08, 2003 at 07:37:53AM -0500, bda wrote:
> > It should be locked down and not touched by adduser ("Would You Like To
> > Make All Homedirs World-Readable?").
>
> Actually I'd rather not, but there are (or at least
> were, I'v
Birzan George Cristian wrote:
> First of all, I'd like to say that, yes, I know this was discussed
> before, but no consensus was reached and the thread died. (Or at least,
> the one I found by doing a quick Google search)
No consensus was reached because none was possible.
> Back to the issue a
Please configure your mail client to a) wrap at 80 columns and b) set
In-Reply-To:
On Sat, Mar 08, 2003 at 04:13:43PM +0100, I.R. van Dongen wrote:
>
> Personally, I don't beleave /root should be used for any information that
> is 'dangerous' I personally use it sometimes for temp storage for .de
Sigh. I specifically said use the original CC: and reply to the list, not
reply to the list and CC:.
On Sat, Mar 08, 2003 at 07:37:53AM -0500, bda wrote:
> On Sat, Mar 08, 2003 at 01:02:13PM +0200, Birzan George Cristian wrote:
> > Back to the issue at hand, the default permissions on /root/, whic
On Sat, Mar 08, 2003 at 07:37:53AM -0500, bda wrote:
> It should be locked down and not touched by adduser ("Would You Like To
> Make All Homedirs World-Readable?").
Actually I'd rather not, but there are (or at least
were, I've not checked in a long while) problems
with apache access to /home/use
Personally, I don't beleave /root should be used for any information that is
'dangerous' I personally use it sometimes for temp storage for .debs and such, before
I move them to /usr/src.
Therefor I don't really care what the default permissions are for /root.
the files that need to be there (
On Sat, Mar 08, 2003 at 01:02:13PM +0200, Birzan George Cristian wrote:
> Back to the issue at hand, the default permissions on /root/, which, at
> the moment, are 755. IMHO, this is a possible security problem and it
> should be set to, at least, 750 (thus allowing users in the wheel group
There
On Sat, Mar 08, 2003 at 01:44:24PM +, Dale Amon wrote:
> On Sat, Mar 08, 2003 at 07:37:53AM -0500, bda wrote:
> > It should be locked down and not touched by adduser ("Would You Like To
> > Make All Homedirs World-Readable?").
>
> Actually I'd rather not, but there are (or at least
> were, I'v
On Sat, Mar 08, 2003 at 07:37:53AM -0500, bda wrote:
> It should be locked down and not touched by adduser ("Would You Like To
> Make All Homedirs World-Readable?").
Actually I'd rather not, but there are (or at least
were, I've not checked in a long while) problems
with apache access to /home/use
On Sat, Mar 08, 2003 at 01:02:13PM +0200, Birzan George Cristian wrote:
> Back to the issue at hand, the default permissions on /root/, which, at
> the moment, are 755. IMHO, this is a possible security problem and it
> should be set to, at least, 750 (thus allowing users in the wheel group
There
64 matches
Mail list logo
