On Wed, Oct 17, 2012 at 10:05 AM, Jordon Bedwell <jor...@envygeeks.com> wrote: > > The problem with this is how are you going to fix permissions on bad > software like Ruby Gems who do not reset permissions when packaging > and uploading to the public repository (because they claim this would > "violate security" even though it comes from a public repo like the > Debian repo and having public read and execute on a public gem from a > public place is "bad".) This has a huge impact as a default permission > for not just examples like Ruby gems but other software do not reset > when packaging, making it more cumbersome to package software and > making it so now work around's are the rule and not the exception.
Explain the problem more. The directory the user is in would be owned by $USER:users instead of $USER:$USER. The only difference, then, is instead of your stuff being owned by jordon:jordon it's owned by jordon:users. What you're saying here is... I don't know what you're saying. Permissions are currently $USER:users by default with umask=022 and $HOME permissions of 755 which means every file is created as: drwxr-xr-x jordan:jordan /home/jordan drwxr-xr-x jordan:jordan /home/jordan/somedir -rwxr--r-- jordan:jordan /home/jordan/somefile What I'm suggesting is either umask=022 with a shared 'users' group and a default $HOME permission of 700, so drwx------ jordan:users /home/jordan drwxr-xr-x jordan:users /home/jordan/somedir -rwxr--r-- jordan:users /home/jordan/somefile In which case if you give the 'users' group or (via extended ACL) any other group or person read/execute on /home/jordan they can read everything: they're in 'users' and thus have access to your files, just before they couldn't actually reach the inode. If you give 'others' read/execute on /home/jordan then everyone on the system can see inside your $HOME, as is the case now. ...OR--more risky--a default umask=027 with a shared 'users' group and a default $HOME permission of 700, so drwx------ jordan:users /home/jordan drwxr-x--- jordan:users /home/jordan/somedir drwxr----- jordan:users /home/jordan/somefile and security is increased, nominally, but honestly not much. The security boost here is files created in shared directories or hardlinks created won't let anyone and everyone read those files; the truth of the matter is that shouldn't happen, and stuff done in /tmp is usually ... temporary, and aware of the security implications. More restrictive you could umask=077, but same deal, and then if you want to give anyone access to your files you have to change permissions the whole way down (which opens up the user to mistakes like chmod -R on $HOME and exposing their SSH keys). How does putting everyone in the same group and changing $HOME to 0700 do what you said? -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
