Beginners question - BSD

This is a discussion on Beginners question - BSD ; I just started trying out OBSD. Just a quick question, why are home directories for users set with the permission of 755? Allowing any user to look around others home directories. Anyone with an answer would greatly be appreciated. -Mike...

+ Reply to Thread
Results 1 to 14 of 14

Thread: Beginners question

  1. Beginners question

    I just started trying out OBSD.

    Just a quick question, why are home directories
    for users set with the permission of 755? Allowing
    any user to look around others home directories.

    Anyone with an answer would greatly be appreciated.

    -Mike

  2. Re: Beginners question

    On 17/10/2005 9:29 AM, Mike wrote:
    > Just a quick question, why are home directories
    > for users set with the permission of 755? Allowing
    > any user to look around others home directories.
    >
    > Anyone with an answer would greatly be appreciated.
    >


    I've always assumed this is a fairly common default that can easily be
    tweaked by the admin.

    Since home directories do not contain precious system data, and truly
    private data (Mail, .ssh, .gnupg) is hidden behind a correctly set
    directory by the applications in question. That is, correctly written
    apps will refuse to write data into a directory that is unprotected to
    the level they expect.

    FWIW, the global, NFS-mounted $HOME directories here at the office are
    open to everyone. Truly private or group-specific data (in $HOME and
    elsewhere) is hidden behind directories with the appropriate perms.

    That is, it is my long experience that things in home directories are
    not necessarily expected to be completely private, though it is trivial
    to make it so.

    I think of my $HOME dir as a front foyer to a house I own. I sometimes
    invite strangers in, but they need keys to get into any of the other
    rooms. If you need tighter controls, simply change the perms and tweak
    useradd settings.

  3. Re: Beginners question

    On Mon, 17 Oct 2005 13:34:30 -0400, clvrmnky
    wrote:

    >I think of my $HOME dir as a front foyer to a house I own.


    I think of it as my front door (which has a door and lock on it).


    -Mike


  4. Re: Beginners question

    On 17/10/2005 4:56 PM, Mike wrote:
    > On Mon, 17 Oct 2005 13:34:30 -0400, clvrmnky
    > wrote:
    >
    >>I think of my $HOME dir as a front foyer to a house I own.

    >
    > I think of it as my front door (which has a door and lock on it).
    >

    The analogy breaks down quickly, but a multi-user system is more like an
    apartment building or perhaps a shared house of some sort.

    Anyway, these defaults are pretty standard *every* place I've worked in
    the biz. The gestures to lock down home directories are simple.

    In most cases it adds no real security to do so, which is my only point.

  5. Re: Beginners question

    Begin
    On 2005-10-17, clvrmnky wrote:
    > Anyway, these defaults are pretty standard *every* place I've worked in
    > the biz. The gestures to lock down home directories are simple.
    >
    > In most cases it adds no real security to do so, which is my only point.


    True, altough it may add a sense of privacy. I really prefer a real
    office with a door over a lonely-together cubicle in a cubicle farm.
    (And as a sysadmin which *naturally* seems to mean lots of extra
    hardware in the office, I do expect a lock on the door, with tightly
    controlled access to the keys, but hey. Perks of the job.)


    --
    j p d (at) d s b (dot) t u d e l f t (dot) n l .
    Still annoyed at the go+r script that ran on all homedirs
    every hour or so on the student shellbox.

  6. Re: Beginners question

    On Mon, 17 Oct 2005 17:48:00 -0400, clvrmnky
    wrote:

    >On 17/10/2005 4:56 PM, Mike wrote:
    >> On Mon, 17 Oct 2005 13:34:30 -0400, clvrmnky
    >> wrote:
    >>
    >>>I think of my $HOME dir as a front foyer to a house I own.

    >>
    >> I think of it as my front door (which has a door and lock on it).
    >>

    >The analogy breaks down quickly, but a multi-user system is more like an
    >apartment building or perhaps a shared house of some sort.
    >
    >Anyway, these defaults are pretty standard *every* place I've worked in
    >the biz. The gestures to lock down home directories are simple.
    >
    >In most cases it adds no real security to do so, which is my only point.



    I agree with your take on things, I understand.

    I sort of get the feeling that BSDs aren't really a user oriented
    operating system. More of an afterthought.

  7. Re: Beginners question

    Begin <4698l1dlbkavc0aa0gj1pvgajfp98cobgc@4ax.com>
    On 2005-10-17, Mike wrote:
    >
    > I agree with your take on things, I understand.
    >
    > I sort of get the feeling that BSDs aren't really a user oriented
    > operating system. More of an afterthought.


    Well, you're posting in cub.openbsd.m, and I would say that obsd is
    a good platform for hacking the os but maybe not so very great at
    handholding new users.

    Other than that, I disagree. I mean, if you think that ``user friendly''
    equals ``less learny, more clicky'', then unix' userfriendlyness is
    indeed an afterthought, if only because way back when there simply were
    was no X, which is understandable since it is a bit hard to run X on
    hardcopy terminals. I happen to think unix is exactly the opposite: it
    is a really great platform to get work done provided you learn how to
    use the tools.


    --
    j p d (at) d s b (dot) t u d e l f t (dot) n l .
    Unix is very user friendly, it's just picky about who its friends are
    -- anon

  8. Re: Beginners question

    On 18 Oct 2005 01:06:58 GMT, jpd
    wrote:

    >> I agree with your take on things, I understand.
    >>
    >> I sort of get the feeling that BSDs aren't really a user oriented
    >> operating system. More of an afterthought.

    >
    >Well, you're posting in cub.openbsd.m, and I would say that obsd is
    >a good platform for hacking the os but maybe not so very great at
    >handholding new users.
    >
    >Other than that, I disagree. I mean, if you think that ``user friendly''
    >equals ``less learny, more clicky'', then unix' userfriendlyness is
    >indeed an afterthought, if only because way back when there simply were
    >was no X, which is understandable since it is a bit hard to run X on
    >hardcopy terminals. I happen to think unix is exactly the opposite: it
    >is a really great platform to get work done provided you learn how to
    >use the tools.



    Now, I made sure NOT TO USE the word "user friendly" and I tried not
    to infer OBSD as not being "user friendly". I think there is a
    difference between being built with the user in mind performance wise
    and being built with network performance in mind. Neither of which
    involves things being "user friendly".

  9. Re: Beginners question

    On 17/10/2005 6:28 PM, Mike wrote:
    > On Mon, 17 Oct 2005 17:48:00 -0400, clvrmnky
    > wrote:
    >
    >
    >>On 17/10/2005 4:56 PM, Mike wrote:
    >>
    >>>On Mon, 17 Oct 2005 13:34:30 -0400, clvrmnky
    >>> wrote:
    >>>
    >>>
    >>>>I think of my $HOME dir as a front foyer to a house I own.
    >>>
    >>>I think of it as my front door (which has a door and lock on it).
    >>>

    >>
    >>The analogy breaks down quickly, but a multi-user system is more like an
    >>apartment building or perhaps a shared house of some sort.
    >>
    >>Anyway, these defaults are pretty standard *every* place I've worked in
    >>the biz. The gestures to lock down home directories are simple.
    >>
    >>In most cases it adds no real security to do so, which is my only point.

    >
    >
    > I agree with your take on things, I understand.
    >
    > I sort of get the feeling that BSDs aren't really a user oriented
    > operating system. More of an afterthought.


    Interesting approach. If you ask me, Unix is the ultimately
    user-oriented operating system. The whole point was to offer computer
    services to a large, disparate group of people in a relatively safe and
    controlled manner. This is exactly what it does, and something that
    other platforms took decades to achieve.

    On a real multi-user system with a bunch of home directories, it makes
    no sense to lock those down. Adding locks does not always add security.
    Sometimes all it does it increase the amount of keys that are out there.

  10. Re: Beginners question

    On 17/10/2005 6:01 PM, jpd wrote:
    > Begin
    > On 2005-10-17, clvrmnky wrote:
    >
    >>Anyway, these defaults are pretty standard *every* place I've worked in
    >>the biz. The gestures to lock down home directories are simple.
    >>
    >>In most cases it adds no real security to do so, which is my only point.

    >
    > True, altough it may add a sense of privacy. I really prefer a real
    > office with a door over a lonely-together cubicle in a cubicle farm.
    > (And as a sysadmin which *naturally* seems to mean lots of extra
    > hardware in the office, I do expect a lock on the door, with tightly
    > controlled access to the keys, but hey. Perks of the job.)
    >


    An office? Who has one of those? Anyway, office locks merely keep the
    honest people out. In most such systems, if you have access to one
    lock, you have access to them all.

    http://www.crypto.com/masterkey.html

    Sounds like a local privilege escalation to me! Feel safer? I'd
    consider putting that extra hardware behind a decent keypass entry, if
    you really need to protect it.

    I agree about the privacy issue, and it is trivial to add such sugar to
    a system. However, the OP wanted an explanation why home dirs were
    world-visitable. The answer is that, for most deployments, it simply
    adds no real security.

    Of course, for those rooms/offices/directories where it is important to
    protect the contents, you add more security. Nobody is supposed to keep
    truly sensitive data in their cubicle. Likewise, nobody should be
    running a sensitive service or process or putting pr0n in the root of
    their home dirs. That's what ~/pr0n is for.

    This all being said, if Theo & Co. decided today that all home dirs will
    from now on be created 0700, I'd just shrug and accept it (and probably
    switch it back.)

  11. Re: Beginners question

    Begin
    On 2005-10-18, clvrmnky wrote:
    > An office? Who has one of those? Anyway, office locks merely keep the
    > honest people out. In most such systems, if you have access to one
    > lock, you have access to them all.


    After one and a half years of incessant annoying the crap out of
    everybody else on the floor *and* treatening to quit Right ****ing Now
    if I'd not get a coworker for the windows crap, so when he arrived there
    was reason to put us both in a small aquarium type office, yes, I did
    have one. Six months later I quit anyway, but for entirely different
    reasons. The office, quite honestly, was pretty nice.

    The key was introduced after laptops got stolen right from the shelf
    behind my desk. I hear they now want to introduce cctv as well, because
    stuff still goes missing. Not that it will help much. The people are too
    lax with even just closing doors, even when they practically witnessed a
    laptop getting stolen in bright daylight.

    The key, incidentally, was outside the normal key system and as such
    half a measure better, even with the third door (#1 office, #2 computer
    room, #3 giving access to the backside of the racks, don't ask) not
    being lockable at all, because immediately behind it was the floor's
    console for the alarm system. Given that the protection was more
    against random people walking in, which somehow happened, this would be
    sufficient if not ideal. Iff one keeps ones door locked, which *I* did.


    > http://www.crypto.com/masterkey.html
    >
    > Sounds like a local privilege escalation to me! Feel safer? I'd
    > consider putting that extra hardware behind a decent keypass entry, if
    > you really need to protect it.


    I'd read that. The building keys were electronic, so that wouldn't work.
    There are other issues with that, but that particular problem was not
    ours on that installation.


    > I agree about the privacy issue, and it is trivial to add such sugar to
    > a system. However, the OP wanted an explanation why home dirs were
    > world-visitable. The answer is that, for most deployments, it simply
    > adds no real security.


    No disagreement there. Then again, there's no real security in the
    loo either, but there are privacy measures. :-)


    [snip!]
    > This all being said, if Theo & Co. decided today that all home dirs will
    > from now on be created 0700, I'd just shrug and accept it (and probably
    > switch it back.)


    :-)


    --
    j p d (at) d s b (dot) t u d e l f t (dot) n l .

  12. Re: Beginners question

    On 18/10/2005 2:33 PM, jpd wrote:
    > Begin
    > On 2005-10-18, clvrmnky wrote:
    >
    >>An office? Who has one of those? Anyway, office locks merely keep the
    >>honest people out. In most such systems, if you have access to one
    >>lock, you have access to them all.

    >
    >
    > After one and a half years of incessant annoying the crap out of
    > everybody else on the floor *and* treatening to quit Right ****ing Now
    > if I'd not get a coworker for the windows crap, so when he arrived there
    > was reason to put us both in a small aquarium type office, yes, I did
    > have one. Six months later I quit anyway, but for entirely different
    > reasons. The office, quite honestly, was pretty nice.
    >
    > The key was introduced after laptops got stolen right from the shelf
    > behind my desk. I hear they now want to introduce cctv as well, because
    > stuff still goes missing. Not that it will help much. The people are too
    > lax with even just closing doors, even when they practically witnessed a
    > laptop getting stolen in bright daylight.
    >

    Cripes. If nobody really cares, video ain't going to help. Heck, we
    had someone steal some brand-new furniture out of a lounge here, and
    they took a wastebasket and the clock off the wall for good measure.
    The couch was taken over the course of two evenings. First the legs,
    then the rest.

    I guess video *might* help in this case, but who wants to be on video
    all the time? I'd rather we get hit with the occasional theft, and lock
    the real valuable stuff up tight.

    [snip]

    >>I agree about the privacy issue, and it is trivial to add such sugar to
    >>a system. However, the OP wanted an explanation why home dirs were
    >>world-visitable. The answer is that, for most deployments, it simply
    >>adds no real security.

    >
    >
    > No disagreement there. Then again, there's no real security in the
    > loo either, but there are privacy measures. :-)
    >

    I think this, more than anything, is the best analogy we seen so far in
    this thread!

    TTYL.

  13. Re: Beginners question

    Mike wrote:
    > I just started trying out OBSD.
    >
    > Just a quick question, why are home directories
    > for users set with the permission of 755? Allowing
    > any user to look around others home directories.
    >
    > Anyone with an answer would greatly be appreciated.
    >
    > -Mike




    IMHO, everybody should post their Q&A here serve as help archieve.
    But this isn't the case, instead is a death OBSD newsgroup.

  14. Re: Beginners question

    On 18/10/2005 6:16 PM, Meximal wrote:
    > Mike wrote:
    >> I just started trying out OBSD.
    >>
    >> Just a quick question, why are home directories
    >> for users set with the permission of 755? Allowing
    >> any user to look around others home directories.
    >>
    >> Anyone with an answer would greatly be appreciated.
    >>

    >
    > IMHO, everybody should post their Q&A here serve as help archieve.
    > But this isn't the case, instead is a death OBSD newsgroup.


    Is that like death metal?

+ Reply to Thread