UbuntuHelp:UbuntuLTSP/LockdownHomeDirs
来自Ubuntu中文
 |
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
| This page is specific to Ubuntu versions 8.04 |
If you find this information applicable to additional versions/releases, please edit this page and modify this header to reflect that. Please also include any necessary modifications for this information to apply to the additional versions.
This page is dedicated to locking down user home directories. This is necessary because, by default, Ubuntu likes to give the "other" group (everyone on the system) r-x (read/execute) permissions by default. This is not acceptable in an educational environment, as any student would be able to navigate to any other student's (or teacher's) home directory to, at the very least, open/read their files. Here are the steps to lock down user home directories, so only the logged-in student (and any teacher/admin staff in the "admin" group) will have access to user directories: First, change filesystem permissions on all existing user home directories so that only the owner and group have rwx permissions:
cd /home sudo chmod 770 *
Now, change the group owner to the "admin" group (only teachers and/or system administrators/techs should be a member of the "admin" group, as it is used for system administration purposes):
sudo chgrp admin *
NOTE: This only allows entering the users' directories as it doesn't recursively change permissions on enclosed files. To ensure all current and future files are created with the proper permissions for the 'admin' group to read/write/execute them, we must either use SetUID on the group bits, or use ACLs. I will document this soon and this note will be removed. Lastly, to prevent newly created users from creating homedirs with the same bad permissions, edit the /etc/adduser.conf file to make the default permissions sane:
sudo vim /etc/adduser.conf
adduser.conf:
... # If DIR_MODE is set, directories will be created with the specified # mode. Otherwise the default mode 0755 will be used. DIR_MODE=0770 ...
If you'd like to add more fine-grained access control to individual user home directories, see This|page on ACL support in Ubuntu. Have fun!
