Mastering Linux Security and Hardening
上QQ阅读APP看书,第一时间看更新

Locking down users' home directories the Red Hat or CentOS way

This is another area where different Linux distribution families do business differently from each other. As we shall see, each distribution family comes with different default security settings. A security administrator who oversees a mixed environment of different Linux distributions will need to take this into account.

One beautiful thing about Red Hat Enterprise Linux and all of its offspring, such as CentOS, is that they have better out-of-the-box security than any other Linux distribution. This makes it quicker and easier to harden Red Hat-type systems because much of the work has already been done. One thing that's already been done for us is locking down users' home directories:

 [donnie@localhost home]$ sudo useradd charlie
[sudo] password for donnie:
[donnie@localhost home]$
[donnie@localhost home]$ ls -l
total 0
drwx------. 2 charlie charlie 59 Oct 1 15:25 charlie
drwx------. 2 donnie donnie 79 Sep 27 00:24 donnie
drwx------. 2 frank frank 59 Oct 1 15:25 frank
[donnie@localhost home]$

By default, the useradd utility on Red Hat-type systems creates user home directories with a permissions setting of 700. This means that only the user who owns the home directory can access it. All other normal users are locked out. We can see why by looking at the /etc/login.defs file. Scroll down toward the bottom of the file, and you'll see this:

CREATE_HOME yes
UMASK 077

The login.defs file is one of two files where default settings for useradd are configured. This UMASK line is what determines the permissions values on home directories as they get created. Red Hat-type distributions have it configured with the 077 value, which removes all permissions from the group and others. This UMASK line is in the login.defs file for all Linux distributions, but Red Hat-type distributions are the only ones that have UMASK set to such a restrictive value by default. Non-Red Hat distributions usually have a UMASK value of 022, which creates home directories with a permissions value of 755. This allows everybody to enter everybody else's home directories and access each others' files.