What type of permissions should a user's home directory and files have?
Solution 1
To make the creation of the home directory behave differently do
useradd -m -K UMASK=0066 testuser
Giving other no access at all should be safe.
Solution 2
You should set DIR_MODE
in /etc/adduser.conf
and use the adduser
command as recommended in the man
page for useradd
on your system:
adduser testuser
If you do not want to make changes to the original /etc/adduser.conf
(or need different setups) you can make changes in a copy and use adduser --conf <yourconf>
Solution 3
I've had no problems setting home directories as 0700 as a base, and then opening them up more little by little as required.
Solution 4
Since you are posting this in security I will take a bait. This is how is done in by default in OpenBSD
drwxr-xr-x 5 predrag predrag 512 May 20 23:00 predrag
My account has been created on the boot. You see that by default a separate group is created and I am logged in as a member of that group. That first account is by default member of the wheel group but not for example member of operator group which means that I could not shutdown the computer.
Note that by default new users on OpenBSD are added with adduser interactive Perl script which also creates the home directory with correct permission and many other things.
This is what RedHat does by default
drwx------. 48 predrag predrag 4096 May 20 17:51 predrag
I am System Admin on that computer and that is regular account created by default for root user. RedHat doesn't have a custom script but some values of useradd are pre-populated with default values.
Related videos on Youtube
cwd
Updated on September 18, 2022Comments
-
cwd almost 2 years
I'm working with a fresh install of Ubuntu 12.04 and I've just added a new user:
useradd -m testuser
I thought that the
-m
flag to create a home directory for users was pretty standard, but now that I've taken a closer look I'm a little confused:By default the new directory that was just created shows up as:
drwxr-xr-x 4 testuser testuser 4.0K May 20 20:24 testuser
With the
g+r
ando+r
permissions that means every other user on the system can not onlycd
to that user's home directory, but also see what is stored there.When reading over some documentation for suPHP it recommends setting the permissions as
711
ordrwx--x--x
which is how it would make the most sense to me.I noticed that I can change the permissions on the files inside
/etc/skel
and they are set correctly when creating new users withuseradd -m
but changing the permissions on the/etc/skel
directory itself does not seem to have any effect on the new directories that are created for users in/home/
So - what type of permissions should a user's home directory and files have - and why?
If I wanted permissions to be different for
useradd -m
- like the711
/drwx--x--x
as I saw mentioned, how is one to do that? Must you create the user and then runchmod
?
-
Admin about 11 yearsleave a reason if you downvote
-
Admin about 11 yearsHave you looked at the man page of
useradd
? If you are on Ubuntu and want to use the commandline you should be usingadduser
. (BTW I did not downvote, but not finding the -K option yourself in the help/man page could indicate little research for others as you don't seem to be a complete Unix newbie) -
Admin about 11 years@Anthon - yup. I missed the
-K
part in man - but I did look over it before asking (not well enough). However theman
page still does not explain why it saysIf not specified, the mask will be initialized to 022.
Also, it does not seem thatadduser
provides any other benefit besides an interactive prompt based system - it, too, creates the home directories by default as 755. -
Admin about 11 yearsadduser (its deluser counterpart) does things like deleting a users 'private' group which I don't think adduser does. It also makes it more easy to make a normal or system user with the uid in the right number range. I recommend you look at what can be specified for
adduser
in/etc/adduser.conf
.
-
cwd about 11 yearsDon't they need to be at least 711 if they contain something like a
public_html
folder, or if one of the subdirectories is a shared / group folder? Also, can you set them as your700
by default somehow with theuseradd -m
command ? Also - why would Ubuntu even think it is OK to default to 755? -
cwd about 11 yearsInteresting. So without that I guess it just is using the default
umask
set in the shell session ? -
Ignacio Vazquez-Abrams about 11 yearsThat would be part of the "as required". On my (Fedora) system the umask can be set in
/etc/login.defs
; Ubuntu must have something similar. -
tink about 11 years@cwd: that is correct
-
tink about 11 years@cwd Regarding the public_html thing you asked about in Ignacio's response: I'd make the owning group something that the apache user is a member of, and still get away w/o access for other
-
cwd about 11 yearsThat sounds good to me. I will give it a shot. Thank you.
-
cwd about 11 yearsThx - this helps with the second part of the question.
-
user over 10 yearsShouldn't that umask be 0077 instead of 0066?