Locking home directories
This is another area where different Linux distribution families are different from each other. Each distribution family comes with different default security settings. A security administrator who oversees a mixed environment of different Linux distributions will need to take this into account.
UMASK line is in the
login.defs file for all Linux distributions, but Red Hat-type distributions are the only ones that have
UMASK set to a restrictive value of
077 by default, which removes all permissions from the group and others.
Other distros set it to
022 by default, which creates home directories with a permissions value of
755. This allows everybody to enter everybody else’s home directories and access each others’ files.
Red Hat and CentOS
Red Hat Enterprise Linux and all of its descendants have better out-of-the-box security than any other Linux distribution. One thing that’s already been done is locking down users’ home directories.
By default, the
useradd utility on Red Hat-type systems creates user home directories with a permissions setting of
700. Only the user who owns the home directory can access it. The
UMASK is set in
CREATE_HOME yes UMASK 077
Debian and Ubuntu
Debian and its offspring, such as Ubuntu, have two user creation utilities:
sudo useradd -m -d /home/username -s /bin/bash username
username would have no
home directory and would be assigned the wrong default shell.
Home directories are wide open, with
read privileges for everybody.
cd /home sudo chmod 700 *
To change the default permissions setting for home directories, open
/etc/login.defs and change
UMASK 022 to
UMASK 077. Now, new users’ home directories will get locked down on creation, just as they do with Red Hat.
adduser utility is an interactive way to create user accounts and passwords with a single command, which is unique to the Debian family of Linux distributions. Most of the default settings that are missing from the Debian implementation of useradd are already set for adduser. The only thing wrong with the default settings is that it creates user
home directories with the wide-open
755 permissions value.
777 is the numerical equivalent of
rwxrwxrwx in Linux, subtracting that from the
022, you get the resulting permissions that will be set on a user’s home directory and files. Change the