How to configure Debian to create new added users through adduser to be secure by default / Limiting access to other user’s information

Tuesday, 3rd August 2010

If you’re about to add new users to your Debian GNU/Linux you should have certainly noticed that the defaultusers created in /home directory are created with a 755 chmod permissions .
What makes it even worser is that in Debian by default the root user home directory /root has also a 755 permissons by default, you can see an example of the insecure behaviour below:

hipo@noah:/$ ls -ld root/
drwxr-xr-x 67 root root 4096 Aug 3 12:40 root/

This is quite a big security leak since every user on the system can read and copy all the documents of every other one without any constraint. Users can have read access to the administrator root user !
I have no clear clue why the Debian development team has taken the decision to set such an insecure permissions by default, but anyways it’s probably a good practice if you’re sane person with a security in mind, should certainly realize that this kind of insecure by default permissions has to be changed for a secure one.
This is probably about to save you tons of nerves of possible security info leak among users or even, security leaks coming out of your home root directory.

Changing the default permissions for the new created users on the system using the adduser command is pretty easy and is being controlled by /etc/adduser.conf

the variable responsible for the persmissons of newly created user directories found within the file is: DIR_MODE by default in Debian this variable is set to be equal to DIR_MODE=0755 which as I’ve already said is insecure thus a recommandable change value would be: DIR_MODE=750

So procceed and open the vim /etc/adduser.conf and change the DIR_MODE=755 variable to DIR_MODE=0750 there is plenty of more configuration options that you might want to tamper with one worthy to mention is that through the same conf file you’re able to specify the range values between which a new created user’s ids and gids could borrow.
This can be done via the variables FIRST_SYSTEM_UID LAST_SYSTEM_UID and respectively for GIDS, FIRST_SYSTEM_GID and LAST_SYSTEM_GID

Another thing to do immediately is change your root’s directory default set permissions during after your Debian Linux installation is complete, to do so:

debian:~# chmod 750 /root

If you’re in a position where you have already any number of users existing with alredy created insecure user home directories permissions (755) then a simple (bash shell) one liner to change all the system users permissions to 750 and hence prohibit users to be able to read among each other’s directory would be:

debian:~# for i in /home/*; do chmod 750 $i; done

The default insecure behaviour that Debian Linux possess as well as the issue discussed above is well documentaed in Securing Debian Manual so check it out for a more thorough info on Debian security.

Share this on:

Download PDFDownload PDF

Tags:

15 Responses to “How to configure Debian to create new added users through adduser to be secure by default / Limiting access to other user’s information”

  1. Anders says:
    Opera 10.61 Opera 10.61 GNU/Linux x64 GNU/Linux x64
    Opera/9.80 (X11; Linux x86_64; U; en) Presto/2.6.30 Version/10.61

    Should it not be chmod -R 750 /root, or chmod -R o-rx /root

    View CommentView Comment
  2. Kura says:
    Google Chrome 6.0.472.14 Google Chrome 6.0.472.14 Windows 7 Windows 7
    Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.14 Safari/534.3

    Surely you mean the following:

    debian:~# chmod -R 750 /root
    debian:~# for i in /home/*; do echo chmod -R 750 $i;

    View CommentView Comment
    • admin says:
      Epiphany 2.29.92 Epiphany 2.29.92 Debian GNU/Linux x64 Debian GNU/Linux x64
      Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Safari/531.2+ Debian/squeeze/sid () Epiphany/2.29.92

      yes in the hurry it seems I put a wrong number 🙂

      View CommentView Comment
  3. bbartlomiej says:
    Opera 10.60 Opera 10.60 Windows 7 Windows 7
    Opera/9.80 (Windows NT 6.1; U; pl) Presto/2.6.30 Version/10.60

    Your chmods shoul be 750 not 755, because it wouldn’t change anything 🙂

    View CommentView Comment
  4. Debianero Rumbero says:
    IceWeasel 3.5.10 IceWeasel 3.5.10 GNU/Linux GNU/Linux
    Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.1.10) Gecko/20100623 Iceweasel/3.5.10 (like Firefox/3.5.10)

    ‘I have no clear clue why the Debian development team has taken the decision to set such an insecure permissions by default,’

    I do believe that’s a heritage thing from umask=0022 times.

    I always change /etc/adduser.conf too (like you) AND umask settings.

    In your example debian:~# chmod -R 755 /root I think that’s a typo, isn’t?

    Maybe you mean debian:~# chmod -R 750 /root

    Same thing to your second example (755 instead 750).

    View CommentView Comment
    • admin says:
      Epiphany 2.29.92 Epiphany 2.29.92 Debian GNU/Linux x64 Debian GNU/Linux x64
      Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Safari/531.2+ Debian/squeeze/sid () Epiphany/2.29.92

      yes it’s a type thanks for noting it!
      Best

      View CommentView Comment
  5. tw says:
    Firefox 3.6.8 Firefox 3.6.8 Windows XP Windows XP
    Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8

    “for i in /home/*; do echo chmod -R 755 $i; done “

    I guess it should be chmod -R 700 in the script.

    View CommentView Comment
  6. anon says:
    Firefox 3.6.7 Firefox 3.6.7 Fedora 13 x64 Fedora 13 x64
    Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.2.7) Gecko/20100723 Fedora/3.6.7-1.fc13 Firefox/3.6.7

    Old bug “/root is world readable”:
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=295858

    View CommentView Comment
  7. anon says:
    Firefox 3.6.7 Firefox 3.6.7 Fedora 13 x64 Fedora 13 x64
    Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.2.7) Gecko/20100723 Fedora/3.6.7-1.fc13 Firefox/3.6.7

    I think it’s wrong to recursively change the ownerships on people’s files. You should only change the permissions on their home directory.

    View CommentView Comment
    • admin says:
      Epiphany 2.29.92 Epiphany 2.29.92 Debian GNU/Linux x64 Debian GNU/Linux x64
      Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Safari/531.2+ Debian/squeeze/sid () Epiphany/2.29.92

      Guess you’re right but yet, if only the users directory permissions are changed somebody could try to guess the user files and he will be able to read them if he is lucky. Thus it might be better that way sometimes.

      View CommentView Comment
  8. admin says:
    Epiphany 2.29.92 Epiphany 2.29.92 Debian GNU/Linux x64 Debian GNU/Linux x64
    Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Safari/531.2+ Debian/squeeze/sid () Epiphany/2.29.92

    Yep I just gave it a try, You’re right. the “-R” option is not necessary in the for loop. I’ve fixed that in the article.

    Thanks for noting it!

    Will be seeing you around,

    Wish you best!

    Georgi

    View CommentView Comment
  9. elektrische zigarette says:
    Internet Explorer 5.5 Internet Explorer 5.5 Windows NT 4.0 Windows NT 4.0
    Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0; .NET CLR 1.0.2914)

    hey orada gday þekilde ailesine vereceðiz site . Seçilmisl?r? fark I anybody hansi site haqqinda bir . !

    View CommentView Comment
  10. Domenica Tinnell says:
    Firefox 3.5.3 Firefox 3.5.3 Windows XP Windows XP
    Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)

    If some one needs to be updated with newest technologies after that he must be go to see this site and be up to date every day.

    View CommentView Comment

Leave a Reply

CommentLuv badge