Posts Tagged ‘insecure’

Change default new created Debian users insecure (all users read) permissons to secure

Tuesday, September 11th, 2012

In older versions of Debian, the directory permnissions of /home/ directory used to be secure. As of time of writing this post in Debian GNU / Linux Squeeze (6.0.5), default permissions are set to such, that all permissions are set readable for all users. e.g.:

debian:~$ ls -al /home/test
drwxr-xr-x 3 test test 4096 Jul 24 10:51 test

This kind of permissions are probably set like this because of Apache configuration to display every user custom file content in web via /home/[users]/public_html through http://website-url.com/~test … (whatever) ~username.

This is great for machines which are supposed to be used for hosting, but for mail server or SQL Database host such permissions of new created users is quite insecure practice. Also such a /home directory settings are not good even for Webserver hosting servers, which did not display any web content via /home/ users directories.

Therefore on each new configured Debian server it is a wonderful practice to change default new created user to only readable, writable and executable by the user itself ….

To do so;

1. Edit /etc/adduser.conf

Change the variable:

DIR_MODE=755

to

DIR_MODE=700

This will not affect the permissions of current existing directories in /home/, i.e. /home/user1 , /home/user2 etc. but any new created one with adduser or useradd cmd will get permissions of 700

Here are permissions of recent created user syrma:

debian:~# useradd syrma
debian:~# ls -ld /home/syrma
drwxr-xr-x 98 syrma syrma 12288 7 ceâ—ˆ 13,56 hipo/

In /etc/adduserconf, there are plenty of other useful options, you might want to tune (depending on the type of new configured server). Few worthy to change sometimes are:

FIRST_UID=1000, LAST_UID=29999
FIRST_GID=1000, LAST_GID=29999

This two controls how the USER IDSs (UID) and GROUP IDs (GID)s will get assigned. In some cases it might be useful to assign new users from 1000 onwards.

Another helpful variable to tune for creating new users from there is DSHELL, on Linux defaulting to DSHELL=bash shell.

If there is a necessity to set a GLOBAL new created user quota, this is easily done also via adduser.conf. The file allows you to disable certain strings in username from present in new user logins, configure if new users will have their separate directory or belong to a system wide (user group – like in Slackware) and few others. I suggest anyone new to Linux who hears it for a first time check it.

It is maybe worthy to mention in present moment on Ubuntu Linux, by default /etc/adduser.conf, DIR_HOME=700 (is restrictive).
For some new users, who try to configure Apache read /home/[user_dir]/public_html. This could lead to unexplainable errors like:

[Tue Sep 11 10:20:17 2012] [crit] [client 127.0.0.1] (13) Permission denied:/home/syrma/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable

This error is due to /home/syrma, improper permissions (Apache) server user (www-data) fails to read /home/syrma directory content and the Apache forked child exits with the respective error.log critical err.

If you get some errors like this, the fix is to just make the directory with readable and executable flag for all users:

# chmod -R 0755 /home/syrma