Solved question about different user access other user's folder

fff2024g

fff2024g

Dear all :
i have created double users (test ,game) in freebsd14.1... the user game has a home folder. test user is not . when i login with test user, i can access folder of game user and view all files. why ? i think different user can't view other user all information in same machine . could you tell me what happened to me ? and how to block other user to access my all information ? thanks.
 
Use ls -l to see what owner, group, and other (user) permissions you have on these directories.

You probably want to use chmod to restrict the permissions. e.g chmod -R g-rwx,o-rwx secret_dir
 
Code: 
% cd /tmp/
% mkdir secret_dir
% ls -l | grep secret
drwxr-xr-x   2 myuser  wheel   512 Aug 26 15:57 secret_dir
% chmod -R g-rwx,o-rwx secret_dir
% ls -l | grep secret
drwx------   2 myuser  wheel   512 Aug 26 15:57 secret_dir
 
when you add user with adduser you can specify permission for new home directory (man adduser)
-M mode
Create the home directory with permissions set to mode.

without this parameter for creation will be used umask (man pw)
-M mode
Create the user's home directory with the specified
modified by the current umask(2). If omitted, it
derived from the parent process' umask(2). This option
only useful in combination with the -m flag.

adduser is a shell script which run powerful pw command

for my root umask = 22 = -rw-r--r--

I see that you can solve problem by
  • change your umask
  • specify -M mode
 
As mentioned by others here, the system users home directory permission can be changed, so that only the home directory owner can access it.

i.e.: chmod 700 /home/game

adduser(8) offers the possibility to create the users home directory with a specific permission, when executing the command ( adduser -M 700), or interactive during the user creation, step:
Code: 
Home directory permissions (Leave empty for default): 700
Default is mode 755.

The default can be changed to be applied to all new created users by creating a adduser(8) configuration file (/etc/adduser.conf).

To produce the configuration file execute adduser -C, change default values.


The mentioned umask can help further to restrict file and directory permissions beneath the home directory.


Caveat: Since 14.1, when Root-on-ZFS, adduser(8) creates the user home directory as a ZFS data set, unless invoked with -Z option.

The -M, interactive and /etc/adduser.conf home user directory permission don't have an effect.

Home directory permission must be chmod(1) manually.
 
T-Daemon said:
adduser(8) offers the possibility to create the users home directory with a specific permission, when executing the command ( adduser -M 700), or interactive during the user creation, …
Click to expand...

Bugs 150988 and 280099.

The BUGS section of adduser(8) does not mention either bug, and pw(8) does not have a BUGS section.

Postscript: sorry, I missed this part of your comment:

T-Daemon said:
The -M, interactive and /etc/adduser.conf home user directory permission don't have an effect.
Click to expand...
 
fff2024g said:
… how to block other user to access my all information ? …
Click to expand...

Not yet mentioned in the manual page for adduser(8), for additional protection you can:
  • encrypt a ZFS home directory
  • have an encryption keyphrase that differs from the user password.
The example below includes the encryption keyphrase part of the routine, and shows mode 700 not effective.

Code: 
root@mowa219-gjp4-zbook-freebsd:~ # adduser -M 700
Username: kh
Full name: Kitten Heels
Uid (Leave empty for default):
Login group [kh]:
Login group is kh. Invite kh into other groups? []:
Login class [default]:
Shell (sh csh tcsh zsh rzsh ksh git-shell bash rbash nologin) [sh]: tcsh
Home directory [/home/kh]:
Home directory permissions [700]:
Enable ZFS encryption? (yes/no) [no]: yes
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]: yes
Lock out the account after creation? [no]:
Username    : kh
Password    : <random>
Full Name   : Kitten Heels
Uid         : 1005
ZFS dataset : august/usr/home/kh
Encrypted   : yes
Class       :
Groups      : kh
Home        : /home/kh
Home Mode   : 700
Shell       : /bin/tcsh
Locked      : no
OK? (yes/no) [yes]:
Enter encryption keyphrase for ZFS dataset (august/usr/home/kh):
Enter new passphrase:
Re-enter new passphrase:
adduser: INFO: Successfully created ZFS dataset (august/usr/home/kh).
adduser: INFO: Successfully added (kh) to the user database.
adduser: INFO: Password for (kh) is: eQbEQLsY
Add another user? (yes/no) [no]:
Goodbye!
root@mowa219-gjp4-zbook-freebsd:~ # exit
logout
% whoami
grahamperrin
% ls -dhl /home/kh
drwxr-xr-x  2 kh kh    9B 26 Aug 16:32 /home/kh
% cat /home/kh/.login_conf
#
# see login.conf(5)
#
#me:\
#       :charset=iso-8859-1:\
#       :lang=de_DE.ISO8859-1:
% sudo bsdconfig userdel kh
grahamperrin's password:
awk: can't open file /usr/libexec/bsdconfig/*/INDEX.en_GB.UTF-8
 source line number 4
% sudo zfs destroy august/usr/home/kh
%
 
The opening poster asked about access, there's direction to what's currently Chapter 3 of the FreeBSD Handbook, which is outdated (does not cover ZFS-encrypted home directories), and which recommends adduser.

adduser fails to restrict access.

When I post to public forums, it's for the benefit of anyone who might read.
 
T-Daemon said:
As mentioned by others here, the system users home directory permission can be changed, so that only the home directory owner can access it.

i.e.: chmod 700 /home/game

adduser(8) offers the possibility to create the users home directory with a specific permission, when executing the command ( adduser -M 700), or interactive during the user creation, step:
Code: 
Home directory permissions (Leave empty for default): 700
Default is mode 755.

The default can be changed to be applied to all new created users by creating a adduser(8) configuration file (/etc/adduser.conf).

To produce the configuration file execute adduser -C, change default values.


The mentioned umask can help further to restrict file and directory permissions beneath the home directory.


Caveat: Since 14.1, when Root-on-ZFS, adduser(8) creates the user home directory as a ZFS data set, unless invoked with -Z option.

The -M, interactive and /etc/adduser.conf home user directory permission don't have an effect.

Home directory permission must be chmod(1) manually.
Click to expand...
thanks. it's very good solution.
 
You must log in or register to reply here.
Back
Top