Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Default Permissions for New User?

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Default Permissions for New User?

#1 Post by debiman »

Hello,
my server is running debian jessie aka oldstable, without gui, as a web and ssh server.
i now want to add a new user. that is, a person who gets their own user account with ssh access.
i want to make sure that this person (who is friendly and generally has my trust) cannot mess up anything.
clearly I did not add them to the sudo group.
what are debian's defaults for

Code: Select all

# adduser user
?
i searched. there's a lot of info out there, but i could not find a clear answer.
debian wiki does not seem to address this particular topic at all.
looking at /etc/adduser.conf does not clarify either.

maybe not what the adduser command does, but what general user permissions are for all users?

as far as i can see it, a (new) user
- can see a lot of things (but not all) outside their home, but not change it
- cannot reboot or do other mission critical things
???

Segfault
Posts: 993
Joined: 2005-09-24 12:24
Has thanked: 5 times
Been thanked: 17 times

Re: Default Permissions for New User?

#2 Post by Segfault »

UNIX users have write rights in their home directories. And temp directories, but only to temp files they own. Everything is default denied. User cannot even make a sound unless he/she is made a member of audio group. These are UNIX basics.
In short, I have hard time understanding your question.

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Default Permissions for New User?

#3 Post by GarryRicketson »

I am not sure I understand the question my self, but here is my "penny",
The user would not be able to do anything that can harm the system,
and will be able to access using ssh, log in , as all ready mentioned they
will be able to read,write files in their dir only, /home/username/

If they know the root password, they can use 'su' , and become root, so if you do not want them doing anything as root, do not give them the password.
I don't know much about sudo, don't use it myself, but the same , (I think)
you would not want to add them to sudo group.
If you want to allow them to be able to write files , for example, in the
/var/www/htdocs, they would need to have special permissions, and be a member of a group allowed read/write access to those dirs, or be able to use 'su', to be honest I am not sure my self, on how you would set it up
so they could for example:have a home dir inside the /var/www/htdocs,
where they could add a index.html, etc, and create their own web site.
It might help if you clarify exactly what privileges you want to give the user,
and what areas they would be allowed access to.
If your concern is only that they can not do anything that could harm or change system files, your ok there, when the newuser is added, the default
does not give them any privileges outside of their home dir and tmp files,
as mentioned by Segfault .
So in a nut shell, as long as they are not a member of 'sudo', and do not have the root password, your ok.
==========================
A little off topic, but anyway:
I don't think Linux or Debian has a option for 'doas'

Code: Select all

man doas
DOAS(1) General Commands Manual DOAS(1)
NAME
doas - execute commands as another user
SYNOPSIS
doas [-Lns] [-a style] [-C config] [-u user] command [args]
DESCRIPTION
The doas utility executes the given command as another user. The command
argument is mandatory unless -C, -L, or -s is specified-----snip---

In a way, I guess it is similar to what you all do with sudo, but anyway
way I find it usefull on OpenBsd, and use it , instead of all ways using 'su' and logging in as root. One can give a user specific permissions, in specific
directories , etc.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Default Permissions for New User?

#4 Post by Head_on_a_Stick »

debiman wrote:what are debian's defaults for

Code: Select all

# adduser user
?
They are defined in /etc/adduser.conf, as you note in your post — what is it about that file you do not understand?

Here is my BL-He (née Debian stretch) version:

Code: Select all

DSHELL=/bin/bash
DHOME=/home
GROUPHOMES=no
LETTERHOMES=no
SKEL=/etc/skel
FIRST_SYSTEM_UID=100
LAST_SYSTEM_UID=999
FIRST_SYSTEM_GID=100
LAST_SYSTEM_GID=999
FIRST_UID=1000
LAST_UID=59999
FIRST_GID=1000
LAST_GID=59999
USERGROUPS=yes
USERS_GID=100
DIR_MODE=0755
SETGID_HOME=no
QUOTAUSER=""
SKEL_IGNORE_REGEX="dpkg-(old|new|dist|save)"
So new users have their own $HOME folder and their own group with /bin/bash as the shell (yuck!) and any dotfiles copied from /etc/skel — this can be considered a reasonably "secure" default, especially as new users (ie, any added after the "main" user) are *not* added to any system groups in Debian.

See https://wiki.debian.org/SystemGroups for more.

@Garry: https://github.com/Duncaen/OpenDoas
deadbang

User avatar
Thorny
Posts: 542
Joined: 2011-02-27 13:40

Re: Default Permissions for New User?

#5 Post by Thorny »

debiman wrote: what are debian's defaults for

Code: Select all

# adduser user
?
I'm not trying diss you debiman but Debian's defaults are what is in that, /etc/adduser.conf, file. Thus, the "defaults" for an added user are whatever the system administrator has left or changed in that file. Adding a user doesn't change permissions on any system files or give new users access other than the ability to read files outside of their home directory that allow "others" access. As mentioned by Segfault, depending on what you want the user to be able to do you may have to add them to a group or possibly, groups.

If you need to be even more careful, you might research the topic, chroot jail but that is likely more than you want, and more trouble to accomplish. I know from reading your posts that you're capable of researching this.

I hope you have considered whether or not this person will ever have physical access to the server when you are not monitoring them. If they have sufficient knowledge and physical access ...

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: Default Permissions for New User?

#6 Post by debiman »

^ no physical access, and that person has my general trust as a human being, just not as a linux user.

guys, maybe i should've put this in bold:
debiman wrote:maybe not what the adduser command does, but what general user permissions are for all users?
(meaning normal users with a home and login, not root)
i know for a fact that some distros give normal user rights to execute e.g. "systemctl poweroff".
this is something that would already be in place before the user gets created, i guess.
i tested "systemctl poweroff" (along with reboot and hibernate) and thankfully debian does not do it that way.

i also know for a fact that debian is very precise about privilege separation and was wondering where i'd find info on that.
i'm guessing things like pam, polkit and systemd would be involved.
i still didn't find that info, but i'm fairly confident that debian is doing the right thing here.

in other words, i was looking for confirmation, preferably in the form of a debian-approved document.

What i got instead was the same as usual:
  • first reply didn't bother very hard to try to understand what i'm after and threw a general RTFM in my direction
  • the rest put more attention to the first reply, than to the op, and was eager to follow suit
on topic, i think i have it locked down pretty good now.
  • the new user belongs to no group save its own, and that is that.
  • i added the user to sshd_config so he can log in
  • he has his own webroot, but nothing can be executed in it
i just hope he doesn't try to "bring systemd down with one tweet" or some such...

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Default Permissions for New User?

#7 Post by Head_on_a_Stick »

debiman wrote:i also know for a fact that debian is very precise about privilege separation and was wondering where i'd find info on that.
Perhaps you should also read http://www.catb.org/esr/faqs/smart-questions.html... :mrgreen:
deadbang

Post Reply