Users' home folders separation.

[Dendros]

There is something I don't quite understand although I admit that I'm by no means knowledgeable on this. In short I created a second user account on my FreeBSD system for some troubleshooting purposes and I was surprised when I was able to access the home folder of my main user, with all the files contained in it, from this second user (I was using the Thunar file manager as I use Xfce).
As I said, I'm by no means a connoiseur but I thought that the home folders of the users on an Unix system should be private, e.g accessable only by their respective owners and the root user. And speaking about the root user, I'm also able to access root's home folder, /root (although it's empty) in Thunar and that's something that is not possible in Debian (I get a permission denied error if I try this) but in FreeBSD that is possible so I'm confused.
Did I understand something wrong?

 

[Vull]

A non-root user should normally have read and execute permissions for another user's files, but not write permission, unless permissions are set up in some non-standard way. This should be true regardless of whether you are using Debian or FreeBSD. Check out the FreeBSD handbook entry on file permissions and also the manual entries on chmod and umask. You should be able to check your file permissions with ls -l; they are printed in the first column of the ls -l output.

I don't use Thunar, so I don't know why it would behave differently on Debian and FreeBSD, unless it has something to do with the file permissions.

 

[Sevendogsbsd]

Interesting - I was under the impression any user could not read any other user's files. I have only ever had one user on my BSD box so will need to create the wife an account so I can test this

Under Linux (too many to list, can't remember specifically), I cannot access any other user's home directory or root's home directory.

EDIT - well, that's a little disturbing: why can I read other user's files, plus read root's files. Didn't know I could do that. I guess it doesn't hurt anything in my case.

 

[Vull]

Under Debian:

root@stream:~# ls -ld /root
drwx------ 5 root root 4096 Feb 16 04:10 /root

Under FreeBSD:

$ ls -ld /root
drwxr-xr-x  3 root  wheel  2048 Feb 28 05:01 /root

 

[leebrown66]

Under Linux, I cannot access any other user's home directory or root's home directory.

I think you'll find that's distro specific. On my CentOS box, that statement is true, but a debian box I have, it's like FreeBSD's permissions.
edit: where it pertains to the regular users, not root (didn't check)

 

[ralphbsz]

In Unix (which includes FreeBSD and Linux), files and directories have owners, and permissions. They have three separate sets of permissions: What the owner can do, what a different user in the same group as the owner can do, and what others can do. If you do a "ls -l", those are the letters in the string "rw-r--r--" or something similar at the beginning.

Two users can be in the same group, but they don't have to be. That depends on how they have been set up. Please read about passwd and group in the man pages. I suspect that the style of setting up groups depends on different versions of Unix, and within Linux, probably even on different distributions. A competent sys admin will think through the requirements of an installation, and configure users accordingly. I have no idea what the defaults from different OSes are, nor do I care.

Newly created files and directories have certain permissions, which are set by the umask. In most cases, the umask in turn is set by the shell that runs; and typically, the umask depends on the whether the user is "root" or not (the detailed test for root-ness is more complex). Again, competent sys admins will configure the default shell setup files (things like /.cshrc or /etc/profile) accordingly to the needs of the site.

Whether one user can see, read, or modify files of another user depends just on those permissions. There is no "right" or "wrong" here, just different ways of doing it. Please learn about how Unix file permissions work, and then it will all become clear.

(By the way: I omitted ACLs in the above; they make this a lot more complicated, but most people don't encounter them.)

 

[ShelLuser]

In short: it's always best not to rely on the system to keep you safe, that's a job for the administrator and optionally the end users. It's not that hard to change the permissions on your home directory as its owner.

 

[SirDice]

Don't follow the typical advice from the Ubuntu forums; "Oh, you have permission problems? Just chmod 777 everything". Never, EVER, follow that advice.

There are only two directories that need this, /tmp and /var/tmp. But these also have the sticky(7) bit set.

 

[Dendros]

Thanks to everyone for clarifications. I understand that this issue is related to permissions but I wanted to know why users' home folders aren't private by default as I think that they should be so. After all, in a multi-user setup, was is the point of having separate user accounts if users can see each other's files? And, more important, why are regulars users able to see root's files? But perhaps that is related to the fact that both of my user accounts are in the wheel group and this grants them more relaxed permissions than for non-wheel accounts? I will test this by creating a non-wheel account and see how permissions are set.
SirDice: I never followed such advice and I use Debian anyway not Ubuntu. But what should I choose for my home folder in FreeBSD? chmod 700?

 

[SirDice]

But perhaps that is related to the fact that both of my user accounts are in the wheel group and this grants them more relaxed permissions than for non-wheel accounts?

Group membership is irrelevant in this case because the 'world'/'other' is set to read access (r-x).

But what should I choose for my home folder in FreeBSD? chmod 700?

On FreeBSD your primary group is typically the same as your username, so 750 would be fine too. That way you can give someone else (read-only) access to your home directory by adding them to your group.

For example, my username is dice and the primary group is also called dice:

dice@maelcum:~ % getent passwd dice
dice:*:1001:1001:SirDice:/home/dice:/bin/tcsh
dice@maelcum:~ % getent group dice
dice:*:1001

If my home directory has 750 I can add another user to the dice group to give that user access to my home directory. No other user (besides root) would be able to access it.

If you choose 700 or 750 you probably want to change your umask(1) to 077 or 027 too (default is 022).

 

[Dendros]

SirDice, umask should be set in .profile, correct? There is another example of what I think it's bad permissions: the wpa_supplicant.conf file; by default it can be read by regular users and this means that anyone could read your wi-fi password, so I always change permissions for it to 700.

 

[SirDice]

There is another example of what I think it's bad permissions: the wpa_supplicant.conf file;

The file doesn't exist by default. You have to create it. When you created the file your umask(1) got applied resulting in the 644 permissions.

@SirDice, umask should be set in .profile, correct?

It's going to depend on your shell. The ~/.profile is only read by the Bourne (compatible) shells (sh(1), bash(1), zsh(1), etc). You can also set the umask(1) using a login class, see login.conf(5).

 

[Vull]

Thanks to everyone for clarifications. I understand that this issue is related to permissions but I wanted to know why users' home folders aren't private by default as I think that they should be so. After all, in a multi-user setup, was is the point of having separate user accounts if users can see each other's files?

We always have the options of (1.) making any files more private with the chmod command, and (2.) making them more private by default with the umask command. Arguably, if we want total privacy we probably shouldn't be sharing the same computer. Keep in mind that the root account, by default, can effectively ignore file permissions, and read and write any file regardless of permission settings, so any user who can gain root permissions with su, sudo, or doas can still read your private files.

There are several reasons for having separate user accounts which aren't related to privacy concerns. For one example, the postgres account is a non-root user account which owns most or all of its own files. If all those postgres-owned files were totally private, no users other than root and postgres would be able to use the postgresql database software. Command line interface programs like psql would be unusable.

For another example, programmers working on the same software for the same company typically want to share some of the same computers and read and write each others' files as part of their daily routines. Unix-like systems have the flexibility to give them those abilities, by making them members of the same group or groups, and by assigning group permissions to files, individually, using the chmod command, or by default, by using a umask like 002 instead of 022.

And, more important, why are regulars users able to see root's files?

If non-root users didn't have read and execute permissions for root-owned files, we wouldn't be able to read and execute utility programs which are owned by root, like ls and diff, for example, and so the system would effectively be inoperable. Furthermore, if root didn't have the ability to ignore file permission settings, programs like ls and diff wouldn't work on your privately-owned files with restrictive file permissions.

On the positive side, the root account is not a human being, and so it presumably doesn't have any sort of human interest in your privately owned files, but, in general, computer systems aren't a good place for privacy, and any file on any computer on the internet is at considerable risk of having its privacy breached.

 

[ralphbsz]

Warning: in all of the text below, I only talk about the R and W permission flags; I ignore the X flag (which applies mostly to directories in the context of this discussion). In most cases the X flag should mirror the R flag; the examples where directories will have different R and X flags are rare and require lots of explaining.

... but I wanted to know why users' home folders aren't private by default as I think that they should be so.

If you think it should be so, feel free to configure your system this way.

There are people who think otherwise. For example, in many workgroup and corporate applications, users are classified into groups. The traditional example is to have users Alice, Bob and Christine in the group "engineering", David and Emma in group "marketing", and Fred in "payroll". In such a scenario, the common and sensible way to configure permissions is to that files are readable by everyone in the group, but only writable by their owner. This is the example where the default being "rw-r-----" makes sense.

You can also have directories that you want to be group writable. In the above example, you might have a directory /home/tools, which is maintained by all three engineers. In that directory, you would want everything to be group writable. If you want to get more interesting, you can start implementing overlapping groups. For example, you could create a new group called "toolsmiths", which contains one dedicate employee Sam, plus the experienced engineers Alice and Christine. Then you could make the group toolsmiths be the owner of the /home/tools directory, with rw-rw-... permissions.

Different Unix distributions have different defaults for umask. And they have different traditions for how groups are assigned. Some have the tradition that every user is in a group of their own (so user Alica will be alice:alice); others have the tradition that by default all users are in a single group (so it would be alice:staff, bob:staff, ...). FreeBSD does it the first way. Again, an experienced sys admin will adjust these defaults to the need of their site.

And, more important, why are regulars users able to see root's files?

Many files that are owned by root (or more accurately, by UID zero, which user root is typically the main inhabitant) are not at all secret, and that can be useful for all people. As an example, /var/log/messages* (which are the boot and progress messages from the OS and its major components) is typically protected with "rw-r--r--", so anyone can read it. So if you are wondering why the network is down, you can to "tail /var/log/messages", and you'll quickly see in the last few lines that it is a known problem, and there is no need to contact the sys admin. On the other hand, files such as /var/log/security and /var/log/auth.log contain important information that needs to be kept private (such as the identity of other users, and details of security incidents), so their protection is typically rw-------, not readable by anyone other than root.

Whether the login user root protects their files in their home directory (which is typically /root/...) against normal users reading them or not is their choice. The experienced sys admin will typically think through these questions and make intelligent decisions. One example: When I log in as root, I always religiously keep log files of what I have done. They can always be found in the directory /root/logs/YYYYMMDD.log, and contain clear text with human readable sentences explaining what happened and what I did. They often contain little snippets of shell commands or scripts that I used, so I can cut and paste them later. I always make them world readable. Like that other users can find out what happened on the system, which can help them debug things. For example: "The printer lj5mp is down" ... I tell them to "please look in the sys admin log files, I remember messing with it three weeks ago, but don't remember the details". For that reason, those log files never contain cleartext passwords.

But what should I choose for my home folder in FreeBSD? chmod 700?

I presume you mean home directory? Windows has folders; Unixes have directories.

The answer to that depends. To begin with, as SirDice said, by default on FreeBSD every user has a group of their own. So you can stop worrying about the group permissions. For the owner field, you should probably go with rw- in most cases, since protecting files so you yourself can't modify them is a rare use case, and using permissions isn't a very good way to implement unmodifiable files (too many tools will work right around permissions, like you can delete a file that has permissions r--------, and then its gone, without having to explicitly disable the permissions). The next step is to think about the following questions. (a) How valuable is your data? (b) How much do other users have to access your files? (c) How much can you trust the other users to act responsibly? (d) How secure is your machine otherwise? Obviously, these questions are correlated with each other (you would never put highly secret and valuable data on a machine that has open login accounts for everyone on the internet with user="user" password="password").

As an example, look at the server I described above. We can assume that it is relatively well managed, and secured against random break-ins from the internet, and not easy to physically steal the disks (it is in the locked server room of a small software company). We can assume that the source code the engineering group works on is quite valuable (dozens of man-years of highly paid engineers have gone into it), so we must not leak it. We also know that we can't trust the payroll person very much, he's just a temporary contractor, so he should not have access to the source code. But all the engineers need to access all source files, independent of which engineer is modifying them right now, so they need full group read permissions. With this model, you quickly get to the conclusion that rw-r----- is the correct setting for the engineering group. On the other hand, the data of the payroll department needs to be highly private: engineers have no business trying to find out how much the marketing people are paid. So the data of /home/payroll or /home/fred needs to be rw-------. And if they create a directory of tools which are used by everyone in the company (like software tools, or this weeks menu for the cafeteria) they should have permissions rw-r--r--, so everyone can use those. But then they have to have the common sense of not putting private data into that directory (so menu is OK, the cook's secret recipe is not).

 

[Dendros]

ralphbsz, thank you for your insight into this. Although my use case is quite different, I'm just a casual user not a power user and certainly not an admin. But I still think that on a home machine (not a server or production machine), the home directories should be private and that it's just my opinion. If I wanted to share data with other accounts/users, I would just create a directory specifically for this purpose and chmod it to 644.
I believe that purely for privacy reasons. And for root's files, I was referring to root's home directory, /root. What if it contains some sensitive, system-related data? Perhaps some system processes store such data in root's home and if it's world readable, anyone could read such data. That's is my thinking and it's quite possible that I don't know what I'm talking about.

 

[ralphbsz]

But I still think that on a home machine (not a server or production machine), the home directories should be private and that it's just my opinion.

If you want that, configure your system that way. Set umask correctly, and you will get there. However, that has not been the Unix tradition for the last ~50 years, so don't expect your opinion to sway the vast majority of people. The traditional umask for non-root accounts is 022, meaning files will have permissions 644 (and directories will have 755).

And for root's files, I was referring to root's home directory, /root.

To some extent root is just a completely normal user, with a completely normal home directory, which happens to be /root. I don't even remember whether /root is by default world-readable in FreeBSD or not ... on my machine, I definitely adjust the permissions myself to my wishes. You should too.

What if it contains some sensitive, system-related data?

The person who put that sensitive data there should have thought about that before putting it there. If the directory is configured to be world-readable (like mine is), then don't do that. If it is configured to be unreadable, it's fine. In that respect, root is just a normal user: they have to make decisions where to store data, and how to protect it.

Perhaps some system processes store such data in root's home ...

They would never do that. To my knowledge, there is no such system process. Matter-of-fact, you can delete the /root directory, and everything will work just fine, showing that /root is not particularly special. Other than the fact that root can't log in any more. But seriously, you could create a second root account (call it toor for example), give it a different home directory (for example /usr/toor if you feel like that), and then delete /root. The system will continue working.

On the other hand, there are lots of system directories that processes store data into. In particular /var. And the permissions in /var were carefully thought through.

 

[Dendros]

On a "pure" FreeBSD system (no third party packages installed) I think you're right but when I said "system processes" I was thinking at those packages, some of them runs with root privileges and could use root's home to store data. Something like that.

 

[ralphbsz]

No sane package will do that. Now I'm sure that there's broken and insane software around. But that should be pretty rare.