I’m not too familiar with Linux operating systems. But I like openSUSE 11.1 very much and I am eager to learn. I used to have 10.3. From my (I admit extremely limited) point of view 11.1 is a real improvement. Thank you very much! So I have decided to ditch MS operating systems from my computer once and for all.
I do have a question about the default set of permissions. While getting acquainted with openSUSE 11.1 I learned that the default permissions for my user’s (uid 1000) home directory and subdirectories are often something like 755 or 752. I find it a bit irritating that others have read access to my files and are sometimes even allowed to execute them. Would there be any harm done or some programs be compromised if I change the permissions recursively for the group and the others to 0? Or am I being a little paranoid?
No, that’s fine, nobody depends on your files. In fact you only need to change your home directory to 700 because to gain access, all directories on that path must have search access to the process that wants to use the file, and 700 on $HOME blocks everybody else from your $HOME downwards.
One exception is if you have a webserver and a personal website at $HOME/public_html. Apache needs to be able to read your website’s files.
Thank you very much for the information. Well, I have another question since you already mentioned apache. Say I’m using my standard user and meanwhile the apache server is running. Now I want to access any file with whatever browser which is running in my user account. This file is being provided by the apache server. Regarding the permissions: I suspect from your previous answer the browser’s request on the apache server will fall under “the others” and not my user account. Is that correct?
Yes, that is correct. The permissions are determined by the account that is running Apache and on OpenSUSE this is wwwrun. So for most files on the system permissions are determined by the “world” bits.
However, if you mean you are using something like Konqueror, or even Firefox on local files with URLs like file:///home/joe/something.html, then this doesn’t go through the webserver at all, and the above is not applicable. In this case, this is a normal access as the user running the file browser.
Also if you have a single-user system (sounds likely in your case) I’d
probably just make /srv/www/htdocs owned by your user and then put
things in there when you need something via the system’s web server.
This would let you keep your home directory locked down and let you do
whatever you want to for the web server too.
Good luck.
ken yap wrote:
> Yes, that is correct. The permissions are determined by the account that
> is running Apache and on OpenSUSE this is wwwrun. So for most files on
> the system permissions are determined by the “world” bits.
>
> However, if you mean you are using something like Konqueror, or even
> Firefox on local files with URLs like file:///home/joe/something.html,
> then this doesn’t go through the webserver at all, and the above is not
> applicable. In this case, this is a normal access as the user running
> the file browser.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
If you do go along with this you could softlink
/home/youruser/public_html to /srv/www/htdocs so you have a simple place
to access that part of the drive should you go with the stuff I
mentioned previously.
ab@novell.com wrote:
> Also if you have a single-user system (sounds likely in your case) I’d
> probably just make /srv/www/htdocs owned by your user and then put
> things in there when you need something via the system’s web server.
> This would let you keep your home directory locked down and let you do
> whatever you want to for the web server too.
>
> Good luck.
>
>
>
>
>
> ken yap wrote:
>> Yes, that is correct. The permissions are determined by the account that
>> is running Apache and on OpenSUSE this is wwwrun. So for most files on
>> the system permissions are determined by the “world” bits.
>
>> However, if you mean you are using something like Konqueror, or even
>> Firefox on local files with URLs like file:///home/joe/something.html,
>> then this doesn’t go through the webserver at all, and the above is not
>> applicable. In this case, this is a normal access as the user running
>> the file browser.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org