| View previous topic :: View next topic |
| Author |
Message |
F.Ultra
Apprentice
Joined: 17 Mar 2004
Posts: 169
Location: Sweden
|
 Posted: Wed Feb 16, 2005 8:19 pm Post subject: |
 |
|
| I am actually running my /home/* as 700 to completely prohibit the users from even listing the other users homedirectories, and has yet to see any problems other than that the users of course cannot share files easily. |
|
| Back to top |
|
 |
angoraspruce
Apprentice
Joined: 08 Jan 2005
Posts: 193
Location: Minnesota, USA
|
| Posted: Thu Feb 17, 2005 12:00 am Post subject: |
|
|
| southsider wrote: | | So, any problems with 751'ing /home? |
To help you get your thread back on topic, "Go for it." What's the worse that can happen? If you find it a bit restrictive, you change it to something else.
On my system '/home' is 755, but my particular home directory, '/home/me', is 711. No problems.
Best regards  |
|
| Back to top |
|
|
j-m
Retired Dev
Joined: 31 Oct 2004
Posts: 975
|
| Posted: Thu Feb 17, 2005 12:01 am Post subject: |
|
|
| F.Ultra wrote: | | I am actually running my /home/* as 700 to completely prohibit the users from even listing the other users homedirectories, and has yet to see any problems other than that the users of course cannot share files easily. |
Hmm, 0700 actually does not work for FTP because you need at least execute for the FTP daemon to work... |
|
| Back to top |
|
|
spb
Retired Dev
Joined: 02 Jan 2004
Posts: 2135
Location: Cambridge, UK
|
| Posted: Thu Feb 17, 2005 2:15 am Post subject: |
|
|
| F.Ultra wrote: | | I am actually running my /home/* as 700 to completely prohibit the users from even listing the other users homedirectories, and has yet to see any problems other than that the users of course cannot share files easily. |
Well, how about this then....
| Code: | stephen:staff_r@maya ~ $ ls -ld /home
drwxr-xr-x 11 root root 4096 Feb 10 16:31 /home
stephen:staff_r@maya ~ $ ls -l /home
ls: /home/share: Permission denied
ls: /home/ftp: Permission denied
ls: /home/ciaranm: Permission denied
ls: /home/andrew: Permission denied
ls: /home/mwr: Permission denied
total 28
drwx------ 2 root root 16384 Oct 23 19:59 lost+found
drwxr-xr-x 96 stephen users 4096 Feb 17 02:18 stephen |
|
|
| Back to top |
|
|
nevynxxx
Veteran
Joined: 12 Nov 2003
Posts: 1123
Location: Manchester - UK
|
| Posted: Thu Feb 17, 2005 8:53 am Post subject: |
|
|
| adaptr wrote: | To you - which seems obvious to me 
Your position on obscurity vs. encryption, and encryption being a form of obscurity.
Perhaps the analogy falls a little short, but in general I do not think of encryption, decent encryption where you can tell a malicious 3rd party exactly which cipher you used, and he will still not be able to crack one message in exponential time, as anything like obscuring sensitive data.
Except in the very, very literal sense, of course...
Heh.
I'll rectify that: the analogy sux0rs |
Ohhhh no, no, no, no , no.....
My position is, encryption first, then obscurity *if it will help*.
I.e. use ssh, use public key authentication only, then impliment port knocking.
Or in this case, shadow password file already uses quite strong encryption, there doesn't seem to be much need to stop people seeing the passwd file.
lol...but I was talking in the very very literal sense, I was only bashing the phrase, not trying to say encryption is unnecessary with obscurity.
_________________
My Public Key
Wanted: Instructor in the art of Bowyery |
|
| Back to top |
|
|
F.Ultra
Apprentice
Joined: 17 Mar 2004
Posts: 169
Location: Sweden
|
| Posted: Thu Feb 17, 2005 2:52 pm Post subject: |
|
|
spb: *lol* look at that  |
|
| Back to top |
|
|
southsider
Guru
Joined: 05 Jul 2004
Posts: 358
|
| Posted: Fri Feb 18, 2005 12:48 am Post subject: |
|
|
One problem with 751 on /home:
In programs that require you navigate to your home directory through / you can't expand home, so you can't get into /home/alex or whatever.
Is there no way to allow listings on a directory, but only list files you should have read access to? Sounds a bit hacky, but I'm sure you know what I mean (and equally sure you can't, but worth a shot anyway). |
|
| Back to top |
|
|
spb
Retired Dev
Joined: 02 Jan 2004
Posts: 2135
Location: Cambridge, UK
|
| Posted: Fri Feb 18, 2005 1:49 am Post subject: |
|
|
| southsider wrote: | | Is there no way to allow listings on a directory, but only list files you should have read access to? Sounds a bit hacky, but I'm sure you know what I mean (and equally sure you can't, but worth a shot anyway). |
Yes, and it involves SELinux-- see my post above. Other than that, and possibly other MAC systems, no. |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Fri Feb 18, 2005 11:46 am Post subject: |
|
|
| southsider wrote: | | Is there no way to allow listings on a directory, but only list files you should have read access to? |
Not with traditional UNIX filesystems, no.
The point is that the browse permissions for a directories' contents are set on the directory itself - not on the individual files in it.
So you cannot separate them out.
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
southsider
Guru
Joined: 05 Jul 2004
Posts: 358
|
| Posted: Fri Feb 18, 2005 1:26 pm Post subject: |
|
|
spb:
You can still see the directories you're denied access to in your example.
I was hoping for a solution which lets you list /home and shows you the directories you're allowed access to, but doesn't distinguish between "permission denied" and "no such file or directory". So say I have two users, bob and fred.
as root:
# ls /home
bob
fred
# cd /home/asdf
-bash: cd: /home/asdf: No such file or directory
as bob
$ ls /home
bob
$ cd /home/asdf
-bash: cd: /home/asdf: Permission denied
$ cd /home/fred
-bash: cd: /home/fred: Permission denied
and vice versa for fred with bob. |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Fri Feb 18, 2005 1:31 pm Post subject: |
|
|
SELinux or any other MAC solution - as discussed earlier.
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
spb
Retired Dev
Joined: 02 Jan 2004
Posts: 2135
Location: Cambridge, UK
|
| Posted: Fri Feb 18, 2005 1:58 pm Post subject: |
|
|
| southsider wrote: |
as bob
$ ls /home
bob
$ cd /home/asdf
-bash: cd: /home/asdf: Permission denied
$ cd /home/fred
-bash: cd: /home/fred: Permission denied |
Doable, but not with any system out of the box AFAIK. It'd involve patching the kernel's directory access and stat functions, as well as finding some way to label the directories in question to turn on this behaviour. |
|
| Back to top |
|
|
nevynxxx
Veteran
Joined: 12 Nov 2003
Posts: 1123
Location: Manchester - UK
|
| Posted: Fri Feb 18, 2005 2:41 pm Post subject: |
|
|
| southsider wrote: | $ ls /home
bob
$ cd /home/asdf
-bash: cd: /home/asdf: Permission denied
$ cd /home/fred
-bash: cd: /home/fred: Permission denied
and vice versa for fred with bob. |
Shouldn't that be, "no such file or directory"?
Permission denied implies that this thing exists but your not allowed to use it.
_________________
My Public Key
Wanted: Instructor in the art of Bowyery |
|
| Back to top |
|
|
southsider
Guru
Joined: 05 Jul 2004
Posts: 358
|
| Posted: Sat Feb 19, 2005 8:18 pm Post subject: |
|
|
That's exactly what I want. I don't want users to be able to probe for directories they're not supposed to see.
Thus there should be no difference between a non-existing directory and an existing directory where access is disallowed. |
|
| Back to top |
|
|
spb
Retired Dev
Joined: 02 Jan 2004
Posts: 2135
Location: Cambridge, UK
|
| Posted: Sat Feb 19, 2005 8:37 pm Post subject: |
|
|
| southsider wrote: | That's exactly what I want. I don't want users to be able to probe for directories they're not supposed to see.
Thus there should be no difference between a non-existing directory and an existing directory where access is disallowed. |
Patch the stat functions to return ENOENT instead of EACCES when a directory isn't readable. Then patch the routines responsible for listing directory contents. |
|
| Back to top |
|
|
zeek
Guru
Joined: 16 Nov 2002
Posts: 480
Location: Bantayan Island
|
| Posted: Sun Feb 20, 2005 12:06 am Post subject: |
|
|
| southsider wrote: | That's exactly what I want. I don't want users to be able to probe for directories they're not supposed to see.
Thus there should be no difference between a non-existing directory and an existing directory where access is disallowed. |
My advice, don't use a *nix based system. Neither SysV or *BSD style provides the kind of obsecurity that you desire. |
|
| Back to top |
|
|
southsider
Guru
Joined: 05 Jul 2004
Posts: 358
|
| Posted: Sun Feb 20, 2005 1:22 am Post subject: |
|
|
It's not "obsecurity", it's Data Protection.
Why the hell should any of my users be able to find out the usernames of other users on a local system?
Can you ring up your bank and ask for the names of other people who bank with them? |
|
| Back to top |
|
|
teknomage1
Veteran
Joined: 05 Aug 2003
Posts: 1239
Location: Los Angeles, CA
|
| Posted: Sun Feb 20, 2005 3:40 am Post subject: |
|
|
| Actually, not only can you find out other patron's names but you can ask yes or no questions regarding their balance. |
|
| Back to top |
|
|
angoraspruce
Apprentice
Joined: 08 Jan 2005
Posts: 193
Location: Minnesota, USA
|
| Posted: Sun Feb 20, 2005 5:01 am Post subject: |
|
|
| teknomage1 wrote: | | Actually, not only can you find out other patron's names but you can ask yes or no questions regarding their balance. |
Hm.... I wonder if any of these partons are a certain Nazi by the name of Hitler?</godwin> |
|
| Back to top |
|
|
teknomage1
Veteran
Joined: 05 Aug 2003
Posts: 1239
Location: Los Angeles, CA
|
| Posted: Sun Feb 20, 2005 5:04 am Post subject: |
|
|
Quirk's Exception:
Intentional invocation of Godwin's Law is ineffectual. |
|
| Back to top |
|
|
j-m
Retired Dev
Joined: 31 Oct 2004
Posts: 975
|
| Posted: Sun Feb 20, 2005 5:56 am Post subject: |
|
|
You are trying to do foolish stuff that will break basic system functionality. Don´t give your users SSH access if you cannot live with the fact that they can discover the highly secret reality - that they are not alone on your system.  |
|
| Back to top |
|
|
southsider
Guru
Joined: 05 Jul 2004
Posts: 358
|
| Posted: Sun Feb 20, 2005 4:57 pm Post subject: |
|
|
| I'm not giving users ssh access. |
|
| Back to top |
|
|
southsider
Guru
Joined: 05 Jul 2004
Posts: 358
|
| Posted: Sun Feb 20, 2005 4:58 pm Post subject: |
|
|
| teknomage1 wrote: | | Actually, not only can you find out other patron's names but you can ask yes or no questions regarding their balance. |
Are you serious? Which bank is that? |
|
| Back to top |
|
|
j-m
Retired Dev
Joined: 31 Oct 2004
Posts: 975
|
| Posted: Sun Feb 20, 2005 8:53 pm Post subject: |
|
|
| southsider wrote: | | I'm not giving users ssh access. |
OK, so what is your problem?! |
|
| Back to top |
|
|
teknomage1
Veteran
Joined: 05 Aug 2003
Posts: 1239
Location: Los Angeles, CA
|
| Posted: Sun Feb 20, 2005 9:03 pm Post subject: |
|
|
| In reference to the bank balance thing, you just have to identify yourself to the bank as a creditor, meaning someone owes you money. For the list of patrons it's a bit more compoicated but having an account at a bank in the US is considered public information, whereas the exact balance is private unless you owe someone money. Anyway despite my reply about Quirk's exception, I do support angoraspruce's motion to end the thread. |
|
| Back to top |
|
|
|
Networking & Security
