Just as the user permissions for daemons need to be thoughtfully planned out, configured, and audited, the user permissions for standard, unprivileged users need to be treated similarly. Confidentiality is definitely a concern that can and should be addressed when setting and auditing user permissions.
The following are methods to prevent exploitation and data leakage due to weak file permissions. As root, create a user-specific group testl and assign it to the testl user account:
linux:~ # groupadd testl linux:~ # usermod -g testl testl
Observe the Group permissions automatically assigned to the file testfile in the following example, when created by the user testl with the new Group settings:
While this is a good start, you need to modify the above file permissions to prevent Everyone from accessing the file. You do this easily using chmod:
Now, only the intended owner of the files (and root) has any level of access to them (read, write, or execute). This is a fine solution if users are the only parties that need access to their own files, but different configurations need to be made if users intend to share their files with others without having to change permissions each time they want to share the files.
If users are supposed to share files with others in their department, then a departmental group should be created and all users in the department should be assigned to that group as their primary group. If all users are assigned to the same group, all files they create will be given read permission for members of the respective group but greater permissions must be assigned to files to be written by the group.
Was this article helpful?
Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.