On 15 Mar 2019, at 06:43, Abhisheyk Deb
<abhisheykdeb(a)gmail.com> wrote:
For example I have 3 users like userA, userB, and userC in 389 Directory server with home
directories set to /home/userA, /home/userB and /home/userC for them.
On the LDAP client side I have authconfig --enablemkhomedir set to true.
Right now when a new home directory gets created(when the user logins for the first time)
it has the following permissions set for user rwx, groups --- and others ---.
Is it possible to have home directories with different permissions like userB's home
directory get created with permissions user rwx, group r-x and others r-x on the LDAP
client when it first logins.
Can these attributes be set in 389 Directory Server or do I need to have custom mkhomedir
that needs to do this stuff in system-auth file?.
This isn’t possible from LDAP I don’t think. This is likely a oddjobmkhome or
pam_mkhomedir configuration issue. Something like ansible will help you deploy the
configuration to all your systems.
Saying this, it’s a great time to say that unix group permissions basically are equivalent
to “user”, so every user *must* have a user-private-group, IE william:william else you
leave yourself open to some wild lateral movement attacks on unix.
It’s also very risky to allow r-x on others for home directories, so I would strongly
advise against this action.
My advice is make sure everyone has a user-private-group, and have default permissions of
u:rwx, g:r-x, o:—
Hope that helps,
Thank you
Abhishek Deb
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
—
Sincerely,
William Brown
Software Engineer, 389 Directory Server
SUSE Labs