User privacy

Robert Heller heller at deepsoft.com
Tue Feb 16 19:59:49 UTC 2021 

At Tue, 16 Feb 2021 19:33:36 +0000 "Ubuntu user technical support, not for general discussions" <ubuntu-users at lists.ubuntu.com> wrote:

> 
> Content-Type: text/plain
> 
> On Tue, Feb 16, 2021 at 08:02:02PM +0100, Volker Wysk wrote:
> > Am Dienstag, den 16.02.2021, 12:21 -0500 schrieb Robert Heller:
> > > At Tue, 16 Feb 2021 17:37:21 +0100 "Ubuntu user technical support, not 
> > for general discussions" <ubuntu-users at lists.ubuntu.com> wrote: 
> > > 
> > > > Content-Type: text/plain
> > > > 
> > > > Am Dienstag, den 16.02.2021, 15:54 +0000 schrieb Chris Green:
> > > > > On Tue, Feb 16, 2021 at 04:35:57PM +0100, Volker Wysk wrote:
> > > > > > Am Dienstag, den 16.02.2021, 23:23 +0800 schrieb Bret Busby:
> > > > > > > On 16/02/2021, Volker Wysk <post at volker-wysk.de> wrote:
> > > > > > > > Hi
> > > > > > > > 
> > > > > > > > Am Dienstag, den 16.02.2021, 14:18 +0000 schrieb Ian Bruntlett:
> > > > > > > > > Hi,
> > > > > > > > > 
> > > > > > > > > I'm sorting out an existing Lubuntu 18.04 laptop for a mother and
> > > > > > > > > daughter. At the moment when I run umask I get the result "0002" which I
> > > > > > > > > believe means that different users can read each other's files in their
> > > > > > > > > $HOME directories. They want to stop each other from reading their files.
> > > > > > > > > 
> > > > > > > > > Now I have a rough idea on how to arrange this. I believe a different
> > > > > > > > > umask value has to be specified however I don't know:-
> > > > > > > > > * What value of umask to use
> > > > > > > > > * Where to set that value so that it is set as the default on
> > > > > > > > > bootup/login.
> > > > > > > > 
> > > > > > > > You don't need to touch the umask. Just delete the permissions for "others"
> > > > > > > > on the home directories:
> > > > > > > > 
> > > > > > > > chmod o-rwx /home/HOMEDIR1
> > > > > > > > chmod o-rwx /home/HOMEDIR2
> > > > > > > > 
> > > > > > > > Bye,Volker
> > > > > > > > 
> > > > > > > 
> > > > > > > Is it "others" or "group"?
> > > > > > > 
> > > > > > > I preferred it when it was numbers; the 777 system, so, for example,
> > > > > > > chmod 007
> > > > > > 
> > > > > > It's "others". Each user should have its own private group with the same
> > > > > > name as the user name and only that user in it. So the group ownership or
> > > > > > permissions should not be a problem.
> > > > > > 
> > > > > It always seems to be a rather strange default set-up to configure
> > > > > every new user to have a group of their own.  It makes the whole idea
> > > > > of groups in permissions rather redundant!
> > > > 
> > > > Not at all. You still can create groups, if you want to share something, or
> > > > want to grant access rights to something to specific users. You just don't
> > > > share anything by default. Its more secure this way.
> > > > 
> > > > > It *may* be a good idea to configure things so that, by default, files
> > > > > don't have group read permission (i.e. umask 002, I *think*) but one
> > > > > often *does* want to share files for reading and that requires that
> > > > > users belong to some common groups.  They can then set group read
> > > > > permission on files they want to share.
> > > > 
> > > > Yes, just add a group named "users" with all the users in it. Then they can
> > > > set the group ownership to "users" for files they want to share between all
> > > > users. But they must do so explicitly, and I think this is a good thing. 
> > > > 
> > > > Come to think of it, this also means those users will also have to do
> > > > something with their home directory group membership, when they want to
> > > > share something inside their home directory. If it has been configured to
> > > > exclude "others", as I've advised above...
> > > 
> > > chmod go+x ~
> > > 
> > > (note: not r!)
> > > 
> > > Execute on a directory allows directory traversal, but not read access.
> > 
> > That's right. You need to know the name of the file or directory inside ~,
> > and then you can access it, when its permissions allow it. You could, for
> > instance, create a directory ~/shared, with world read- and lookup (x)
> > rights. 
> > 
> > The problem is, you also can guess names inside the ~, such as .bashrc or
> > bin/... When those don't deny read rights to "others", they can be read...
> > 
> More to the point, does it *matter* if others can read what's there?
> 
> Everyone in the world is welcome to the contents of my .bashrc file,
> I'd love them to be able to learn any morsels of information they can
> find there.
> 
> Default should be *ALLOW* access, hide the bits you think should be
> hidden.  In a work situation I'd have thought nothing should be
> hidden, what part of your work should be hidden from your colleagues? 

Possibly things like personal info, like E-Mails between you and HR that might
contain things like your SS# or bank account info (for direct deposit), etc.
But, yes, in a work situation g+rx and/or o+rx is *probably* a good default,
generally, with some obvious exceptions. In the OPs case, mothers and
daughters probably have reason to keep some level of "secrets" from each
other, if nothing else then things like holiday presents, suprise parties,
etc. But I suspect that other things like personal diaries and such as well... 

> 

-- 
Robert Heller             -- 978-544-6933
Deepwoods Software        -- Custom Software Services
http://www.deepsoft.com/  -- Linux Administration Services
heller at deepsoft.com       -- Webhosting Services

More information about the ubuntu-users mailing list