undefined | Better HN

0 pointsquicklime3y ago0 comments

It's not quite the same as "guest mode" on ChromeOS, but I make user accounts (no sudo) for non-technical family members and let them use my machines unsupervised. What are you worried about here? Should I be worried?

0 comments

4 comments · 1 top-level

kweingar3y ago· 3 in thread

It depends on how much you trust your family members and whether you worry about non-root malware.

Looking at my Linux machine, I notice that the default permission for home directories is 755. If I don’t think to tweak that, then I’m potentially exposing a lot of sensitive data to other users (and potentially the programs they run).

I’m a proficient Linux user but not an expert, and I’m racking my brains to think of what else might be exposed to other users on my machine.

bravetraveler3y ago

I'm similarly racking my brain, and I came to the same finding.

755 permissions on the home directory lets others see what you have, which isn't great.

The good and bad news is, permissions on the files matter too.

SSH (private) keys for example categorically won't work outside of 600 permissions, meaning nobody else can read your private key - without escalating privileges

Now, if you go defining auth secrets in your shell profile (which is world-readable by default), probably something to reconsider.

Restricting umask is a good protection for this, for what it's worth. You can make it so that newly created files/directories are not accessible to the world

kelnos3y ago

> Looking at my Linux machine, I notice that the default permission for home directories is 755.

Whoa, what? I'm running Debian, and it's 700 for me. What distro are you running? This seems like a bad choice by the distro maintainers...

iszomer3y ago

> I’m racking my brains to think of what else might be exposed to other users on my machine.

Including root?

j / k navigate · click thread line to collapse