limiting users to their home directory
hs.samix at gmail.com
Tue Dec 23 22:32:21 UTC 2008
Loïc Grenié wrote:
> 2008/12/23 H.S. <hs.samix at gmail.com>:
>> Okay. But I do not see its use if the OP desires this. And what about
>> conf files and default desktop files the various window managers use?
>> And the system font files?
>> Also, if the OP sets the user's default permissions with rwX with no
>> permissions for groups and others, except in the case of ~/www
>> directories, wouldn't this achieve what he wants to do?
>> What I do not understand yet is does the OP want to hide *all* of the
>> system from each user or just other users?
> This is what I understand: he wants to hide all the system to
> all users. Other users directories is easy: chmod 700 /home/*
> plus some usage of mount -o bind to let apache see the
> www dirs.
> Nick Smith, the first poster, asked specifically
> I [...] would like to lock each user down to be able to see/edit
> only files in his directory, and disable ssh access. [...]
> Seems like that would be a huge security risk to have a user
> able to browse to any directory he wishes and open/download
> the contents.
> Being able to read the files of other user does not look
> like a "huge security risk". A privacy risk maybe, a small
> security risk (if some user has left a readable private key
> in a readable dir). Therefore I conclude that The first poster
> wanted to deny to all users the access to all the system
> except to their own files. As far as I can tell (and everybody
> else here) it is nearly impossible and mostly useless.
> I repeat here what has been said before by various persons
> (including my very own self), it is *not* a huge security risk
> to let anybody see and download most of the operating
> system. Obviously the private keys of the system must
> not be accessible, nor the encrypted passwords (even though
> I hope the encryption algorithm is better than what it was
> 20 years ago). The sensible files are unreadable by default
> so that an Ubuntu system is mostly safe as is. Preventing
> users to read the files does *not* significantly improve the
> security (think: 0.1% more secure). Keeping the system
> patched is a *much* better security improvement, checking
> if the system is properly configured is *much* *better* (and
> in that case not leaving the users read the files has 0 impact
> on security).
Yup, completely agree. There is absolutely no point in hiding the OS
from any user, even it is possible, unless the OP has customized his own
OS and wants to hide *that fact*. The other way to look at it is that
the users can download Ubuntu from anywhere if not from his machine.
This is just a "Doh!" situation.
I hope the OP answers my questions regarding what is he missing and due
to what reason if all he does is set his users' permissions as I and
others have mentioned earlier.
Please reply to this list only. I read this list on its corresponding
newsgroup on gmane.org. Replies sent to my email address are just
filtered to a folder in my mailbox and get periodically deleted without
ever having been read.
More information about the ubuntu-users