Now with Comments

Want to say something?
Read more...
Back
Home Directory Permissions PDF Print E-mail
User Rating: / 4
PoorBest 
Written by Anthony Hildoer   
Sunday, 02 December 2007 12:09

I have seen many debates over the best home directory permissions and owner ship to have and the best way to set those permissions. After getting an annoying error about the permissions on the .dmrc file in my home directory, I thought it was time to put the debate to rest.

 


Enough background...let's get to it...I have found that the best security model is one which starts most restrictive, and then specific restrictions are lifted as access is needed. At first, the model allows no access to anything by anyone. Then, the model may allow rw access to file X by user Y. Then, the model may also allow read only access to directory F by group E. Applying this concept to the home directory problem, we get the following initial state. For a user that is not root, the home directory and all subdirectories have the ownership of root:root and have permissions of 000. The nest state would be to change the ownership from root:root to jdoe:jdoe, assuming jdoe is the user name of the account that should be using the directory as a home directory. Then, the permissions of the home directory are increased from 000 to 750. Now jdoe can access everything his home directory, but nothing else inside it.

 

Incrementally continuing with this method through all files/directories in all subdirectories, applying the appropriate permissions and ownership, yields a secure home directory. Here are my rules for initial home directory permissions and ownerships.

  • The home directory and all subdirectories and all files contained therein should have ownership jdoe:jdoe, where jdoe is the username.
  • Permissions on all directories should be 750. This allows jdoe, and only jdoe the ability to view the contents of or enter all directories.
  • Permissions on all non-executable files should be 640. This allows jdoe and only jdoe the ability to read and modify all regular files.
  • Permissions on all executable files should be 750. This allows jdoe and only jdoe the ability to read, execute and modify all regular files.
  • Permissions on .dmrc files should be 644, this is per Gnome requirements. If you do not run gnome, don't worry about this.
  • Umasks should be 027 for all directories and subdirectories. This ensures new files have the correct permissions upon creation.

If access needs to be given to other users or groups, it should be done on only the directories they need and none other. For example, let's say a user jdoe wants to allow one or more other users read and execute access to jdoe's home directory and subdirectories. Then, those other users need only be added to the jdoe group.

If write permissions need to be added for some users on some directories, a new group should be created. For jdoe, that group could be called jdoeRWX. Then, the ownership of the appropriate directory should be set to jdoe:jdoeRWX. Finally, the other users should be added to the jdoeRWX group.

This solution is not without its shortcomings, however. Initially setting up home directory permissions is tedious and requires a handful of chmod and chown commands in order to be done correctly. Also, if one frequently creates VMs or re-installs OSes, such as I do, then setting permissions is also a task that must be done often. Enter the script.

I have written the following script to initially setup a home directory with minimal access rights, such that only the appropriate user can access files in their home directory. Even better, I have have made the script available to the public. Download the latest version here: setHomePermissions.pl.
Last Updated on Friday, 31 July 2009 21:52
 

Add your comment

Your name:
Your email:
Subject:
Comment:
  The word for verification. Lowercase letters only with no spaces.
Word verification:
Copyright © 2010 Hildoer Systems. All rights reserved.
Content View Hits : 131503