What should I do to secure, chmodly wise, my server?

Question

I want to let my friend access my server so he can host his website. Let's call him Joris.

# useradd joris

note that I'm Debian. So now a /home/joris has been created. This is cool and all. BUT. He can

cd /
cd /etc/
cd /var/www/

He can cd pratically everywhere, maybe not delete but he can see everything, which I don't want him to. Is that normal?

Answer 1

First, I would suggest you reading the Debian Administrator's Handbook by either using aptitude install debian-handbook or using a search engine to find a copy online. It covers many topics about security that will be of use to you, especially when sharing a server with multiple users.

As far as being able to access various directories, Debian is VERY relaxed for my tastes with it's default permissions setup. Check the default UMASK settings (/etc/login.defs) so that you can have a more secure setup when adding users.

I o-rx from things like /var/www and grant access to those using Access Control Lists (ACLs). If you are unfamiliar with ACLs I highly recommend you familiarize yourself with them as they are much more robust than the default permissions system.

As far as what all you should protect, that will depend on your setup. Most things in /etc will be self explanatory whether or not you can remove read access for users outside of the owner/group (like your web server configuration directory). You can also use permissions to limit access to specific binaries that users should never have access to, like mysql or gcc.

In the long run your setup will be unique to your specific needs. Reading the Debian Handbook will be immensely helpful in helping you secure your box not only from the outside, but from the inside as well.

Hope this helps point you in the right direction.