Subject: Re: /root permissions
To: Wojciech Puchar <wojtek@tensor.3miasto.net>
From: David Maxwell <david@vex.net>
List: netbsd-users
Date: 02/14/2003 14:18:40
On Fri, Feb 14, 2003 at 07:16:17PM +0100, Wojciech Puchar wrote:
> > > > If you're putting something secret in /root, you're probably doing
> > > > something wrong...
> > >
> > > could you please write more about it?
> >
> > It's very simple. On large, multi-user systems, "root" is typically a
> > shared account, with a shared password. On one-user workstations, its
> 
> at least where i'm root, there's only one root. hopefully!
> 
> > not an issue, either. What do you have in your /root that's such a big
> > secret, and from whom?
> 
> admins from user.
> 
> again - what's in /root so important to average user that it has to be
> readable?

Changing the permissions on a home directory is 'easy', but it's a
limiting methodology choice.

First, are you really trying to hide file's contents, or their names
too?

If just the contents, set your umask to something like 077 and any file
you create will be (roughly) -rx------- by default. Add a line like
'umask 077' in your shell startup file so it's permanent.

If you want to hide the files too, it's often more flexible to create a
subdirectory like 'private' and chmod it 700 - or make more directories
if you have a lot of categories of data, and set permissions
appropriately. This has the advantage of letting you create 'public' or
'incoming' directories - which you can't do, once you chmod 700 your
home dir.

As for /root - As someone already said "you're probably doing something
wrong" - it's a bad habit to login as root for non system-administration
tasks, so don't do it.

-- 
David Maxwell, david@vex.net|david@maxwell.net --> Although some of you out
there might find a microwave oven controlled by a Unix system an attractive
idea, controlling a microwave oven is easily accomplished with the smallest
of microcontrollers. - Russ Hersch - (Microcontroller primer and FAQ)