Default permissions

On Mon, Oct 24, 2005 at 08:58:33AM -0700, George Farris wrote:
> On Fri, 2005-10-21 at 10:00 +0100, Colin Watson wrote:
> > On Thu, Oct 20, 2005 at 02:35:54PM -0700, George Farris wrote:
> > > Having /home permissions be other than 0700 is a no no IMHO.  It always
> > > has been on UNIX systems.
> > 
> > No, it really hasn't! The ability for users to conveniently share files
> > has always come first in Unix.
> 
> Hogwash, I would say.  Login to any University UNIX machine and you will
> not find 755 permissions on /home/*.

Not the Unix systems at the university I attended, to the best of my
memory, with the probable exception of the heavily-locked-down mail
host. On the teaching systems, it was more important to facilitate
learning, including from each other (note that there are other ways to
prevent plagiarism, and locking down home directories is no defence
against that anyway); any abuse would be dealt with by the application
of a ton of bricks, although I don't recall this particular aspect of
the system ever being abused.

> I would bet this holds true for most businesses as well.

Not the Unix systems at any of the businesses where I've worked, all of
which used Unix extensively. (The odd person has set it up that way for
their own home directory; my experience has been that this causes more
irritation and lost productivity than anything else.)

Please be sure of your ground before you call hogwash.

> At any rate security should be upper most in our minds with the
> ability to loosen it up as needs dictate.

There comes a point where if you make things too strict then in practice
users will be so annoyed by the default security you've provided that
they turn it off entirely, and you end up decreasing user convenience
for little actual gain. I maintain that this is one of those situations,
and that privacy issues should be addressed with a much smaller hammer.

Cheers,

-- 
Colin Watson                                       [cjwatson at ubuntu.com]