summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPeter Bex <peter@more-magic.net>2016-04-15 20:53:17 +0200
committerPeter Bex <peter@more-magic.net>2016-04-15 20:53:17 +0200
commita8b72e64c88182f0ed6e68b778a91b52c3298b4b (patch)
tree14e9e7488c6fddf0ab4a0b66110d6c2eebf8ce1d
parent4771c015187292a1cea5932faa195ac22cb1a6be (diff)
downloadvps-builder-a8b72e64c88182f0ed6e68b778a91b52c3298b4b.tar.gz
Lock down user's home dirsHEADmaster
Set permissions of homedirs for newly created users to 700, so nobody else has access to them by default.
-rw-r--r--vps-builder.scm1
1 files changed, 1 insertions, 0 deletions
diff --git a/vps-builder.scm b/vps-builder.scm
index da27135..cd6d8e4 100644
--- a/vps-builder.scm
+++ b/vps-builder.scm
@@ -273,6 +273,7 @@
;; password would be *locked*, which means "passwd" will prompt
;; for a password, but there's none, so it can't be changed.
(run* (chroot ,root-dir useradd -p "" -m -G ,cs-groups ,user))
+ (change-file-mode ~ #o700) ; Lock down homedir
(install-directory root-dir ~/.ssh user user #o700)
(install-file root-dir pubkey
(make-pathname ~/.ssh "authorized_keys")