> That’s fine for a business system, but for the ‘general public’? I
> suggest that if Linux is to move into the mainstream (don’t we all want
> that?) it will need to be much friendlier in this respect. I would guess
> that if Windows hadn’t been so ‘un-lockeddown’ until relatively recently
> and thus much harder (albeit it safer) to use, it wouldn’t be so
> widespread because the general public would have been continually
> frustrated by it, and walked away. I’m not arguing that it is good to be
> insecure, but the security -should- be easier to control, IMHO.
If Windows had not been so loose and lax with security, the whole problem of
viruses and malware would not have been so great. Now you want to open Linux up
to that kind of attack! No thanks.
I think you miss my point - Windows was easy to use because security was all but absent. That was terrible but it did the trick for MS. I’m not suggesting that for Linux (far from it). I’m suggesting that rather than tuck things away so only the very well informed know about them, it should be much easier for ordinary users to manage their own security. If they choose to open everything up and suffer the consequences, so be it, but at least they have the choice. If you read my original post you will see that my point was inspired by a valuable piece of information tucked deeply away, that only experienced sys-admins will know about. Good for a business system, but for a home user deeply frustrating. And I’m an experienced developer with over 40 years of experience. What about your ordinary punter?
You original question was based on a complete misunderstanding of the facts. The mount options as set at the installation by default for the partions as used by the system (we are not talking about dynamicaly added non-Linux file systems like those on USB sticks) are correct and offer no security risk. A newbee does not need “a valuable piece of information tucked deeply away”, simply because no change is needed.
And about the world writable files that you say are to be found on your system and that in your opinion shouldn’t be world writable, we can not argue with you at all as we stated earlier due to lack of facts.
> I think you miss my point - Windows was easy to use because security was
> all but absent. That was terrible but it did the trick for MS. I’m not
> suggesting that for Linux (far from it). I’m suggesting that rather than
> tuck things away so only the very well informed know about them, it
> should be much easier for ordinary users to manage their own security.
I repeat: no thanks.
The basic permissions system in Linux can not be changed. You can design
Yet another Application to Manage Permissions (Pun Intended with the
Upper Case mixture), but such applications do exist already.
Windows permissions are not easy at all. They are very complex and
powerful, in fact. They take days in training courses for administrators
going over them. Days. Only that plain users do not meddle with them, so
they think that they are easy. Same as in Linux, you do not meddle with
the permissions, no need to do so.
The permission system in Linux is in fact very simple, but different
from Windows.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
If I may say so, that sounds a little patronising. I interpret it as "Ordinary users need not worry their pretty little heads over security - the men have it sorted for you. "
I am well aware of the complexity of the Windows security mechanisms, and the relative beauty of the Linux simplicity in contrast, but management of permissions in some respects is still awkward. My remark about information being tucked away was in response to HvK’s remark about “not many people know about [umask]”.
Anyway, on my PC files in my home directory are created with 755 permissions. I would like to make them 750 by default. My PC, my prerogative. I have changed /etc/login.defs to set umask=027, but newly created files are still 744 (rwxr-xr-x). Why is that?
You have to logout, then log back in, for the changes to take effect.
I’m not sure if “/etc/login.defs” does what you think. Normally one sets umask in the shell startup file “$HOME/.profile” or “$HOME/.bashrc” or whatever, depending on shell. And, after changing your shell startup file, you will need to logout and login again.
> If I may say so, that sounds a little patronising. I interpret it as
> "Ordinary users need not worry their pretty little heads over security -
> the men have it sorted for you. "
That’s on the eye of the beholder
> I am well aware of the complexity of the Windows security mechanisms,
> and the relative beauty of the Linux simplicity in contrast, but
> management of permissions in some respects is still awkward. My remark
> about information being tucked away was in response to HvK’s remark
> about “not many people know about [umask]”.
Well, I’m considered an expert, and Henk short explanation is about the
best I have seen.
In fact, I have never bothered to change umask in 20 years. You can
think, if you wish, that I tell myself “you do not need to touch it”. Am
I patronizing myself?
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
> I’m not sure if “/etc/login.defs” does what you think. Normally one
> sets umask in the shell startup file “$HOME/.profile” or “$HOME/.bashrc”
> or whatever, depending on shell. And, after changing your shell startup
> file, you will need to logout and login again.
You can issue the command “umask” to find out the current value, and
also to change it.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
In /etc/login.defs you find the defaults as used by the useradd command (and by YaST > Security and Users > Users management) at the creation of new users. That means that what you changed only takes effect when you create new users (using those meta methods, not when you do it all manualy of course).
This not not miraculously change things for existing users. They could become very upset when that was the case.
IIRC, I said earlier in this thread that putting an umask command (or changing an existing one) in ~/.profile should do the trick for a user.
I changed that particular file because it was the only place I could find that currently sets umask, and it looked ‘common’. I’ll have a go at doing the same in .profile, but then (I believe) I will have to do it for all user accounts whereas I wanted to do it in one place. Okay, two user accounts isn’t the end of the world, but it’s twice the amount to remember in future.
It’s the defaults for setting up a new login account.
You could use “/etc/profile”. However, if an individual user sets umask in his own “.profile” or “.bashrc”, that setting will override what you put into “/etc/profile”.
The thing to remember is that “umask” is supposed to be an individual user setting, not a vendor setting and not a system administrator setting.
My idea of unix is that “/etc/profile”, “/etc/csh.cshrc” and “/etc/csh.login” should be empty files on initial install. These are supposed to be system adminstrator files, not distro vendor files.
Unfortunately, my distro doesn’t agree with me on that.
