Am I understanding this correctly? You set up multiple accounts which you use for services which all get started by root but get dropped to the service account level? If so, you got nothing to worry about because there is no way to normally achieve root after dropping permissions. BUT there was an exploit that allowed someone to get a root prompt, don't remember when it was fixed (Was back in the the 2.6 kernel days). Anyway, as long as you make sure the applications are working under the service account you designate to them, then the applications ONLY have access to whatever that account has access to. By default, all accounts can see inside everyones home folder(s). If you don't want that, then you will need to set the home folders to 750(640). You can do this by issuing this command.
Code:
chmod -R u=rwX,g=rX,o= $HOME
What it does is, set all files under your home directory to the following permissions:
Owner - Can write, read and execute
Group - Can read and execute
Others - Can't do anything
Note on the options if you want to modify it a bit:
- 1st argument
- u - User/Owner
- g - Group
- o - Others
- 2nd argument
- + - add the following bits
- - - remove the following bits
- = - set to the following bits
- 3rd argument
- r - Read
- w - Write
- x - Execute/view directory
- X - Check the current execute bit and set to on in folders and keep the old bit on files
Warning: Do not run that command on /home directly. Only run this command on the folders inside /home. Using the command directly on /home will result in that it will be impossible to gain access to /home without using root.
If you do mess it up. Plese run this
Code:
sudo chmod u=rwX,g=rX,o=rX /home
You may also run it if you wish to revert back to letting others see what is in your home folder. Just substitute /home to $HOME or just type out where it is, eg: /home/user, also append -R so it will do it recursively.
Bookmarks