Current umask is 0002, does it make sense to set it 700.

Asking from security that other users can not read/see my files/folders.

I am concern that by doing so, will have some unintended side-effects.

We set permissions upstream of your home directory (ie directly on /home) in a way that prevents other users from accessing your files. You should be able to verify this yourself by creating two shell users and attempting to use one to access the other's files.

    sean
    Just for my understanding/learning this is working because /home group/user is root/root ?
    And additionally my /home/ME have ACL user apache and nginx on it so it can be executed ?

    Example ME is placeholder of SSH user name

    [ME@opal4 ~]$ getfacl /home
getfacl: Removing leading '/' from absolute path names
# file: home
# owner: root
# group: root
user::rwx
group::r-x
other::--x

[ME@opal4 ~]$ getfacl /home/ME
getfacl: Removing leading '/' from absolute path names
# file: home/ME
# owner: ME
# group: ME
user::rwx
user:apache:--x
user:nginx:--x
group::---
mask::--x
other::---

[ME@opal4 ~]$ getfacl /home/ME/apps
getfacl: Removing leading '/' from absolute path names
# file: home/ME/apps
# owner: root
# group: root
user::rwx
user:apache:--x
user:nginx:--x
group::r-x
mask::r-x
other::r-x
    • sean replied to this.

        sasa_buklijas Just for my understanding/learning this is working because /home group/user is root/root ?
        And additionally my /home/ME have ACL user apache and nginx on it so it can be executed ?

        That's not quite it. root does own /home but the things that lock down your home directory are the permissions, not the ownership.

        Directory permissions work like this:

        • r: allows listing the contents of a directory
        • w: allows creating files and directories with a directory and modifying the attributes of those items.
        • x: allows traversal of a directory, ie the ability to navigate into and through it. This is notably different from x on files, where it controls whether or not a particular file can be executed like a program.

        So, what's protecting your home directory is:

        1. Permission on /home is --x for other. This means that users can traverse through /home but can't list its contents or create new directories there.
        2. Permission on your home directory is --- for other, so other users can't get in there at all.
        3. Finally, apache and nginx have --x on your home directory (via the ACL) to allow them to traverse through and access your app directories.
          Mastodon