These terms normally apply to relays, but they are also applicable to directories. NO and NC refers to the general strategies of a system regarding the protection of content.
NO means that everything is usually accessible (even if it is read-only). NC means that everything is usually inaccessible.
Unfortunately, the default Debian Linux setting is NO for many files. Note that the most important files, on the other hand, do have the proper protection from prying eyes.
The NO nature applies mostly to user files in /home. The directory of each end user, such as /home/u, has a default ownership of u:u, which means both the user owner and group owner are u. This is appropriate. However, the permissions are set to rwxr-xr-x. The last part that applies to “others” is r-x, which means all users can access the files and directories directly in the home directory of u.
To change user home folders from NO to NC, disable the read and access permissions to “other” users. This seems easy enough!
However, this approach is not without its problems. For example, on a web server, the web server program runs as the user www-data. Furthermore, it needs to access a folder called public_html of the home folder of each user.
The NO nature applies mostly to user files in /home. The directory of each end user, such as /home/u, has a default ownership of u:u, which means both the user owner and group owner are u. This is appropriate. However, the permissions are set to rwxr-xr-x. The last part that applies to “others” is r-x, which means all users can access the files and directories directly in the home directory of u.
To change user home folders from NO to NC, disable the read and access permissions to “other” users. This seems easy enough!
When a new user is created, the default directory permissions are set based on the settings in /etc/adduser.conf. Particularly, look for the line that reads as follows:
This is equivalent to the permission of rwxr-xr-x. To implement the NC approach by default, as the root user, change the number from 0755 to 0750. The zero prefix is significant, don’t leave it out!
To retroactively protect all created user home directories, you can use the following command (as the root user):
However, this approach is not without its problems. For example, on a web server, the web server program runs as the user www-data. Furthermore, it needs to access a folder called public_html of the home folder of each user. As a result, removing the read and access of “others” will make the web content inaccessible by the web server.
A solution, though not very simple, is to add the user www-data to the group of each user who has web content to publish. This solution can be done, but it requires the help of some automation before it becomes a chore to the system administrator.