OpenSUSE Leap client vs. 389 Directory Server : default home directory permissions ?

Hi guys,

This one’s a bit tricky, so here goes.

I’m currently fine-tuning a central authentication scenario using 389 Directory Server and NFS. It’s supposed to replace the current configuration using NIS and NFS, which works fine, except there are some security issues with NIS. Anyway.

The server is running CentOS, and all desktop clients are running OpenSUSE Leap 15.1.

The whole thing works rather nicely at the moment. Clients can authenticate via LDAPS, and the user’s home directories even get created on the first connection. In YaST’s LDAP client configuration, there’s a corresponding checkbox to create home directories automatically.

Now the home directory does get created indeed, but its permissions are 755 (drwxr-xr-x), which is definitely not sane. So here’s my first question (one dragon at a time):

Can I define sane default permissions like 700 (drwx------) for home directories in a central authentication scenario against 389 directory server?

Thanks & cheers from the sunny South of France.

After some experimenting, I found the following workaround. Add this line to /etc/profile:

chmod 700 /home/$(whoami) >> /dev/null 2>&1

Works like a charm.

But I guess it would be better to fix the thing that creates the directory in the first place.

Any suggestions ?


It’ll depend on, which machine is adding the new user.
Take a look at the “useradd” CLI command and, at least on the openSUSE machine, the ‘/etc/default/useradd’ configuration file.

  • You’ll have to setup the default “umask” value to ‘077’ to remove the “read, write, execute” permissions for “Group” and “Other”.

UMASK is set in /etc/login.defs, but it has side effect of setting umask in each user session, not just home directory permissions. For this reasons upstream added HOME_MODE variable to explicitly control new home directory permissions, although I understand it probably not much help in case of Leap 15.1.

Yes, but, that’s the UMASK for the user’s session, after logging in.

  • My understanding is, that the UMASK value in ‘/etc/default/useradd’ is used exclusively by the “useradd” command …

It is not used at all.

Hmmmm – I see what you mean – in ‘/etc/default/useradd’: UMASK=077 – “useradd -m test-099” – newly created home directory with “drwxr-xr-x” permissions …

  • But, correctly created in the path defined by ‘/etc/default/useradd’: HOME=/home/*** …

[HR][/HR]I guess this proves that “Code is fact – documentation is fiction!!” …