Locking down users' home directories the Red Hat or CentOS way

This is another area where different Linux distro families do business differently from each other. As we shall see, each distro family comes with different default security settings. A security administrator who oversees a mixed environment of different Linux distros will need to take this into account.

One beautiful thing about Red Hat Enterprise Linux and all of its offspring, such as CentOS, is that they have better out-of-the-box security than any other Linux distro. This makes it quicker and easier to harden Red Hat-type systems because much of the work has already been done. One thing that's already been done for us is locking down users' home directories:

[donnie@localhost home]$ sudo useradd charlie
[sudo] password for donnie:
[donnie@localhost home]$

[donnie@localhost home]$ ls -l
total 0
drwx------. 2 charlie charlie 59 Oct 1 15:25 charlie
drwx------. 2 donnie donnie 79 Sep 27 00:24 donnie
drwx------. 2 frank frank 59 Oct 1 15:25 frank
[donnie@localhost home]$

By default, the useradd utility on Red Hat-type systems creates user home directories with a permissions setting of 700. This means that only the user who owns the home directory can access it. All other normal users are locked out. We can see why by looking at the /etc/login.defs file. Scroll down towards the bottom of the file, and you'll see:

CREATE_HOME     yes
UMASK 077

The login.defs file is one of two files where default settings for useradd are configured. This UMASK line is what determines the permissions values on home directories as they get created. Red Hat-type distros have it configured with the 077 value, which removes all permissions from the group and others. This UMASK line is in the login.defs file for all Linux distros, but Red Hat-type distros are the only ones that have UMASK set to such a restrictive value by default. Non-Red Hat distros usually have a UMASK value of 022, which creates home directories with a permissions value of 755. This allows everybody to enter everybody else's home directories and access each others' files.