Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 years ago.
Improve this question
Is there any risk keeping open world-read access to passwd file?
Why is by default passwd file world-readable
It is for all users to be able to read their usernames and other data in this file. Sensitive data in modern UNIX systems is kept in /etc/shadow file.
/etc/passwd is world-readable because it contains system-wide account information, like username to real name mappings. It doesn't contain password hashes; those are in /etc/shadow which is only readable by root. Anything that needs to do authentication has to go through a trusted setuid-root service that can check that file.
(And, of course, many systems don't use passwd/shadow for account information anymore. If you use the C library instead of reading the files directly, though, you won't notice.)
The passwd file doesn't contain password hashes any more - they are in the shadow file.
/etc/passwd now only contains the list of users on the computer, and a few basic parameters like their shell. The reason to make it world-readable is so that the world can read it.
This is not generally considered a security vulnerability, though in some circumstances it may be inappropriate.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 years ago.
Improve this question
I have a computer with Linux installed that is being used by several users. Included is a secondary data partition that is being shared between the users. But permissions are not easily handled. Anything created by a specific user, get's that user as owner. I was wondering if it would be possible to use fuse to some how mimic the way Android handled it's /data/media location?
I don't know how Android handles /data/media permissions and my solution does not involve FUSE, but if you create a group and add all users in it and set setgid bit on the root of the secondary file system and change it's group to group with all users then owner of each file will still be user that created the file but group of the file will contain all user and therefore they can access it if you set permissions on that file right (something like 660).
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
Since I am not that experienced with Linux this might be an easy, if not too simple question for you. Recently I met an old friend of mine and I want to exchange some files with him. In fact I could send the files by E-Mail or share them by Dropbox or something like that but I want to make use of Linux and my RaspberryPi.
Here, the RaspberryPi can be accessed via SSH and I want my friend to be able to access one specific directory. The one where I place the files.
I don't want him to mess around in the system. Ideally he should be able to only see this one directory.
Is it enough if I create a user and put the files in his home directory?
Thanks in advance
See this introduction to permission management on Linux.
To answer your Question:
Is it enough if I create a user and put the files in his home directory?
Yes, but it's not a perfect solution because the home folder of an user contains some subfolders.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
For example, I have a file /tmp/plain.txt, and if userA do a cat, he will get correct content, for example, correct content, and if root cat it, he will get meaningless text, for example, easd$qxc%sdf. and even root copy it to HOME, he cannot get the right content.
Is it possible?
You can encrypt the file using AES symmetric encryption and keep the key safe with you. And use that key to decrypt your file and view.
You can also make it more secure by using RSA asymmetric encryption, with encrypting from a public key, and decrypting from a private key.
If you want other users not to read your files, better make sure they do not have access to root's password. You can easily manage user permissions on files, by using chmod, or by using a file manager:
chmod o-rw /tmp/plain.txt
Where o indicates all users expect you(and root),
- indicates revoking permission
rw indicates reading and writing permissions
If you want a more secure method, you'll need to encrypt your home partition. Depending on which distribution you are using, you may encrypt your the partition on installation or by simply using a partition encryption tool in a live boot session.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
Is there any way to currently set up a role based access control (RBAC) for filesystem on any OS that is based on linux kernel, or this would require a special filesystem or modifications of linux kernel?
By RBAC I mean something like what is available under NTFS. Linux kernel by default support only DAC, compliant with POSIX, but I think it would be interesting to have a possibility to define unlimited number of access entries for any number of roles per file on linux kernel, so that for example for a file /var/blah
user Bob can read and write to that file
user John can only read that file
group admins can read, write and execute it
group backup can only read it
group system can read and execute it
and so on...
If you use ACLs, it is possible as well.
See
man getfacl
man setfacl
You can look into SeLinux which implements MAC on linux. This is another security mechanism under linux apart from DAC. I don't have any handly link right now but simple google search for RBAC Selinux may give you results which you are looking for.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I need to control the transferring of files on my server. Some files are sent through scp to my server and I want such a files to have a specific set of permissions let's say 770. I tried pam_umask.so in /etc/pam.d/login and setting umask in /etc/profile but it seems to not work.
Which is the best way on Linux to force an umask for files transferred via scp?
Regards,
Andrea
AFAIK, scp does not initialize a shell, thus don't source any file such as .profile, .bashrc, /etc/profile.
So the only way of doing this, as commented by Stefan Ferstl, seems to use the pam module pam_umask.so.
The file /etc/pam.d/sshd is probably the best place to do it, if you want to limit this behavior to ssh sessions :
session optional pam_umask.so umask=0007