I’m currently fine-tuning a central authentication scenario using 389 Directory Server and NFS. It’s supposed to replace the current configuration using NIS and NFS, which works fine, except there are some security issues with NIS. Anyway.
The server is running CentOS, and all desktop clients are running OpenSUSE Leap 15.1.
The whole thing works rather nicely at the moment. Clients can authenticate via LDAPS, and the user’s home directories even get created on the first connection. In YaST’s LDAP client configuration, there’s a corresponding checkbox to create home directories automatically.
Now the home directory does get created indeed, but its permissions are 755 (drwxr-xr-x), which is definitely not sane. So here’s my first question (one dragon at a time):
Can I define sane default permissions like 700 (drwx------) for home directories in a central authentication scenario against 389 directory server?
It’ll depend on, which machine is adding the new user.
Take a look at the “useradd” CLI command and, at least on the openSUSE machine, the ‘/etc/default/useradd’ configuration file.
You’ll have to setup the default “umask” value to ‘077’ to remove the “read, write, execute” permissions for “Group” and “Other”.
UMASK is set in /etc/login.defs, but it has side effect of setting umask in each user session, not just home directory permissions. For this reasons upstream added HOME_MODE variable to explicitly control new home directory permissions, although I understand it probably not much help in case of Leap 15.1.
Hmmmm – I see what you mean – in ‘/etc/default/useradd’: UMASK=077 – “useradd -m test-099” – newly created home directory with “drwxr-xr-x” permissions …
But, correctly created in the path defined by ‘/etc/default/useradd’: HOME=/home/*** …
[HR][/HR]I guess this proves that “Code is fact – documentation is fiction!!” …