New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Insecure default permissions on home directories #926
Comments
install -m 0644 %{SOURCE3} %{buildroot}/usr/share/defaults/skel/.bashrc
install -m 0644 %{SOURCE3} %{buildroot}/usr/share/defaults/skel/.profile As for the permission of home directory, one way to specify it is to use useradd -m -K UMASK=027 test And you will have Another way is to create But anyway, I think it's nice to patch the |
It's normal and expected to have the files as 644, but the home directory should definitely not be read/exec to all by default. |
debatable topic, but I'm inclined to have a more restricitive policy by default. We would do this through a more restrictive builtin |
Clear Linux is chaining the mode of creating new user This change will be public in 1 or 2 days. |
Here's the effects of having directories be pdxjohnny@clearlinux $ sudo useradd -m feedface
pdxjohnny@clearlinux $ stat !$
stat /home/feedface/
File: /home/feedface/
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: 91h/145d Inode: 19681147 Links: 2
Access: (0755/drwxr-xr-x) Uid: ( 1001/feedface) Gid: ( 1001/feedface)
Access: 2019-06-20 20:22:02.092407456 +0000
Modify: 2019-06-20 20:21:56.260407577 +0000
Change: 2019-06-20 20:21:56.260407577 +0000
Birth: -
pdxjohnny@clearlinux $ sudo -u feedface sh -c 'echo hello world > ~/hi'
pdxjohnny@clearlinux $ ls -lAF /home/feedface/
total 12
-rw-r--r-- 1 feedface feedface 194 Jan 13 2017 .bashrc
-rw-r--r-- 1 feedface feedface 12 Jun 20 20:22 hi
-rw-r--r-- 1 feedface feedface 154 Jan 13 2017 .profile
pdxjohnny@clearlinux $ cat /home/feedface/hi
hello world
pdxjohnny@clearlinux $ sudo -u feedface chmod o-r /home/feedface
pdxjohnny@clearlinux $ ls -lAF /home/feedface
ls: cannot open directory '/home/feedface': Permission denied
pdxjohnny@clearlinux $ cat /home/feedface/hi
hello world
pdxjohnny@clearlinux $ sudo -u feedface chmod o-x /home/feedface
pdxjohnny@clearlinux $ cat /home/feedface/hi
cat: /home/feedface/hi: Permission denied
|
Thanks for the quick action on this one! |
Fixed at clearlinux-pkgs/shadow@54abae4 |
The text was updated successfully, but these errors were encountered: