On 12-10-17 09:59 AM, John Moser wrote: > I suggest all users should go into group 'users' as the default group, > with $HOME default to 700 and in the group 'users'. A umask of 027 or > the traditional 022 is still viable: the files in $HOME are not > visible because you cannot list the contents of $HOME (not readable) > or change into it to access the files within (not executable). A user > can grant permissions to other users to access his files simply by > making the directory readable by them--by 'users' or others (thus > everyone) or by fine-grained POSIX ACLs selecting for individual users > and groups. >
We want users to be able to share files with other users. Having $HOME be 700 defeats that purpose. See: https://wiki.ubuntu.com/SecurityTeam/Policies#Permissive_Home_Directory_Access Also, one of the reasons for using User Private Groups, is to be able to create directories that are used by multiple users, by setting the setgid on the directory. With a default umask of 022, users need to manually set group permissions each time they create a file. Marc. -- Marc Deslauriers Ubuntu Security Engineer | http://www.ubuntu.com/ Canonical Ltd. | http://www.canonical.com/ -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
