Securing /home and /root

[hiatek]

Hey Guys,
Is there a simple way to secure the /root and /home directories?
I have test from multiple accounts and they can read contents in each others and roots home directory, probably not ideal.

I attempted to follow (Home Directory Permissions) http://draenor.org/securebsd/secure.txt it is rather dated though. It didn't work as expected.
I have reverted the permissions back to how they were (I only got as far as doing /root)


Kind Regards,
Michael Hiatt

 

[Mormegil]

Pretty sure basic permissions won't be dated any time soon. The directions in that tutorial should do exactly what you're looking to do, what went wrong?

 

[hiatek]

I could still browse and read files and traverse directories.
I went further to try lock it down and found I had numerous errors soon afterwards (no web traffic, i assume squid related, dovecot also appeared to fail, I couldn't ssh in from accounts other than wheel grouped).

I set the permissions back by hand using a previous

ls -la

of the root directory and rebooted and everything started up as normal.

I thought I best ask for advice before I really kill something.

EDIT: Is there an option when installing to have these secured by default?


Kind Regards,
Michael Hiatt

 

[SirDice]

chmod -R o-rx /root/
chmod -R o-rx /usr/home/

That should do it.

 

[hiatek]

I think /root is fine now. I can only cd to it if i'm a member of wheel, ls of the directory is also locked for non-wheel.

I made the change as listed also for /usr/home

when logging in with a non-wheel account (support in this case) i get the following message:

Could not chdir to home directory /home/support: Permission denied

The following was performed with an account that has wheel group membership

ls -la /home/
total 10
drwxr-x---   5 root     wheel    512 May 20 13:08 .
drwxr-xr-x  17 root     wheel    512 Oct 30  2009 ..
drwxr-x---   5 user  user  512 May 28 13:40 user
drwxr-x---   4 support  support  512 May 28 16:34 support
drwxr-x---   2 user   user   512 May 20 12:34 user

(Note: I have changed the listing for the other two user accounts to "user" to minimise exposure for listing on the forum)

ls -la /home
lrwxr-xr-x  1 root  wheel  8 Oct 30  2009 /home -> usr/home

Is there something else i'm missing to make this work?
EDIT: Hmm if I do a

ls -la /usr/

ls -la /usr/
total 58
drwxr-xr-x  17 root  wheel       512 Oct 30  2009 .
drwxr-xr-x  20 root  wheel       512 May 16 10:23 ..
drwxrwxr-x   2 root  operator    512 May 28 20:02 .snap
drwxr-xr-x   2 root  wheel      7168 May 17 13:41 bin
drwxr-xr-x   2 root  wheel       512 Oct 30  2009 compat
drwxr-xr-x   2 root  wheel       512 Oct 30  2009 games
drwxr-x---   5 root  wheel       512 May 20 13:08 home
drwxr-xr-x  46 root  wheel      5120 Jan 24 13:15 include
drwxr-xr-x   6 root  wheel     10752 Jan 24 16:52 lib
drwxr-xr-x   5 root  wheel       512 May  1  2009 libdata
drwxr-xr-x   5 root  wheel      1536 Jan 24 13:15 libexec
drwxr-xr-x  15 root  wheel       512 May 17 15:04 local
drwxr-xr-x   2 root  wheel       512 Oct 30  2009 obj
drwxr-xr-x  69 root  wheel      1536 May 17 09:18 ports
drwxr-xr-x   2 root  wheel      5632 Jan 24 13:15 sbin
drwxr-xr-x  25 root  wheel       512 Jan 24 13:15 share
drwxr-xr-x   2 root  wheel       512 May  1  2009 src

Thankyou for the advice so far.

EDIT: Well I tried the following:

chmod o+rx /usr/home

then

ls -la /usr/
total 58
drwxr-xr-x  17 root  wheel       512 Oct 30  2009 .
drwxr-xr-x  20 root  wheel       512 May 16 10:23 ..
drwxrwxr-x   2 root  operator    512 May 28 20:02 .snap
drwxr-xr-x   2 root  wheel      7168 May 17 13:41 bin
drwxr-xr-x   2 root  wheel       512 Oct 30  2009 compat
drwxr-xr-x   2 root  wheel       512 Oct 30  2009 games
drwxr-xr-x   5 root  wheel       512 May 20 13:08 home
drwxr-xr-x  46 root  wheel      5120 Jan 24 13:15 include
drwxr-xr-x   6 root  wheel     10752 Jan 24 16:52 lib
drwxr-xr-x   5 root  wheel       512 May  1  2009 libdata
drwxr-xr-x   5 root  wheel      1536 Jan 24 13:15 libexec
drwxr-xr-x  15 root  wheel       512 May 17 15:04 local
drwxr-xr-x   2 root  wheel       512 Oct 30  2009 obj
drwxr-xr-x  69 root  wheel      1536 May 17 09:18 ports
drwxr-xr-x   2 root  wheel      5632 Jan 24 13:15 sbin
drwxr-xr-x  25 root  wheel       512 Jan 24 13:15 share
drwxr-xr-x   2 root  wheel       512 May  1  2009 src

I rebooted the server (to make sure I wasn't going to get any surprises next time I had to reboot it).

I no longer get the error when logging in as support

The support user can no longer access other users files under /home/ or /usr/home/ only its own folder. Also /root is locked out from members who aren't in wheel group.

If i've done anything stupid by making this change, would someone be kind enough to let me know (and even kinder to offer a remedy).

Otherwise, thanks again.
Kind Regards,
Michael Hiatt