Difference between revisions of "How To Secure Your Home Directory"

From ECE Information Technology Services
Jump to navigationJump to search
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
<!--Originally written on: 2006-Jan-22-->
+
<!--Originally written on: 2006-Jan-22 - updated 2020-01-06 -->
  
 
All ECE accounts have their home directories stored on Unix/Linux file servers.
 
All ECE accounts have their home directories stored on Unix/Linux file servers.
  
The default [http://en.wikipedia.org/wiki/File_system_permissions file system permissions] for home directories is 755, which means that other users can
+
The default permissions for home directories at ECE is 711, which means that other users can enter your home directory. Additionally, the default
read the contents of your home directory. Additionally, the default
 
 
[http://en.wikipedia.org/wiki/Umask umask] is 022, which means that any
 
[http://en.wikipedia.org/wiki/Umask umask] is 022, which means that any
files/directories that you create will be readable by others.
+
files/directories that you create will be readable by others.  Note that in order to be able to read a file created with the default umask, the other user will need to know its name, as they will not be able to get a directory listing.
  
Many users consider this to be a security risk.  However, some unix processes,
+
Some users may consider this to be a security risk.  However, some unix processes,
 
specifically the email system's anti-spam tools and the department's web
 
specifically the email system's anti-spam tools and the department's web
 
server, need to be able to access files within your home directory in order to
 
server, need to be able to access files within your home directory in order to

Latest revision as of 11:56, 6 January 2020


All ECE accounts have their home directories stored on Unix/Linux file servers.

The default permissions for home directories at ECE is 711, which means that other users can enter your home directory. Additionally, the default umask is 022, which means that any files/directories that you create will be readable by others. Note that in order to be able to read a file created with the default umask, the other user will need to know its name, as they will not be able to get a directory listing.

Some users may consider this to be a security risk. However, some unix processes, specifically the email system's anti-spam tools and the department's web server, need to be able to access files within your home directory in order to read your resource files. Since some users find it challenging to set the correct permissions on their home directories to get the right combination of security they desire and correct access for system processes, the recommended method to secure your home directory is to create a subdirectory -- something like ~/work -- in which to keep your work. Then, you can set the permissions on this subdirectory to something more restrictive (i.e., 700).

ECE IT Services considers the securing of one's home directory to be the responsibility of the user. In addition to setting the permissions on your ~/work directory (see examples below), you may wish to adjust your umask.

Example 1: setting permission on your ~/work directory only

  chmod 700 ~/work

Example 2: setting permission on your ~/work directory and everything below

  chmod 700 -R ~/work