LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian
User Name
Password
Debian This forum is for the discussion of Debian Linux.

Notices

Reply
 
Search this Thread
Old 08-18-2005, 12:30 AM   #1
czon
Member
 
Registered: Aug 2005
Posts: 39

Rep: Reputation: 15
lock other users from you /home


is there a way to lock all /home/ from other users? so one user cant see what the other user got in his /home? or do i have to "chmod" all folders and files one by one?
 
Old 08-18-2005, 03:14 AM   #2
spooon
Senior Member
 
Registered: Aug 2005
Posts: 1,755

Rep: Reputation: 48
Well, if other users are denied read, write, and executable permission on a directory, then they won't be able to access stuff inside that directory anyhow, regardless of permissions of those stuff.

You can always recursively chmod all files in a directory using "chmod -R" rather than "one by one".
 
Old 08-18-2005, 03:27 AM   #3
d00bid00b
Member
 
Registered: Aug 2005
Location: London, UK
Distribution: Debian Testing
Posts: 157

Rep: Reputation: 30
Yes - this works on my machines, so no good reason to think it won't work on yours.

Try this (you don't need to be root):
Code:
chmod go-rwx /home/<your_user_name> -R
Then test it. If it doesn't work as an ordinary user, then do it again as root.

Last edited by d00bid00b; 08-18-2005 at 06:52 AM.
 
Old 08-18-2005, 10:26 AM   #4
czon
Member
 
Registered: Aug 2005
Posts: 39

Original Poster
Rep: Reputation: 15
Code:
chmod go-rwx /home/<your_user_name> -R
it works thx alot

one more tho, do i have to do this command eveytime i got new files im my /home/ or do new files get the right chmod now?
 
Old 08-18-2005, 10:35 AM   #5
saman007uk
Member
 
Registered: Dec 2003
Location: ~root
Distribution: Debian
Posts: 363

Rep: Reputation: 32
If you put the following command in your .bashrc or .bash_profile, then no:
Code:
umask 077
 
Old 08-18-2005, 10:40 AM   #6
czon
Member
 
Registered: Aug 2005
Posts: 39

Original Poster
Rep: Reputation: 15
ok, but please tell me more about the commande so i can learn
 
Old 08-18-2005, 01:50 PM   #7
shubb
Member
 
Registered: Oct 2003
Location: San Francisco
Distribution: Slackware 13.37
Posts: 150

Rep: Reputation: 16
What the "umask 077" does is to set it so that all new files and directories created by you automatically have the 700 access permissions. The 700 mask means that your user has read/write/excecute (7) for the file, and the group and other users have no access (0). If you type "ls -al" on a directory, all the files will have some letters on the left side that correspond to the access permissions for the file. The first letter is for special files, like directories. The three sets of 'rwx' correspond to read/write/excecute for the user, group, and other users. If you convert the 7 (from the 700 above) into binary, the value is 111. This means that the value for read/write/excecute for that user are all true. For the example below, the file is a directory (d), the user has permissions of 7 (rwx) the group has permissions of 5 (r-x) and the other users have permissions 4 (r--).

drwxr-xr-- 7 root root 4096 2005-07-22 16:39 ..

Is this clear?

Last edited by shubb; 08-18-2005 at 01:52 PM.
 
Old 08-18-2005, 02:33 PM   #8
czon
Member
 
Registered: Aug 2005
Posts: 39

Original Poster
Rep: Reputation: 15
this is clear thx
only one thing tho (theres always another question lol)

if you want access mask "700" or whatever its called.. why type umask 077?
whu dont "umask 700"? or does "u" stand for unmask so it remove permissions?

wow i think im right here ^^ my brain works yey

Last edited by czon; 08-18-2005 at 02:36 PM.
 
Old 08-18-2005, 02:59 PM   #9
tireseas
Member
 
Registered: Jun 2003
Location: London, UK
Distribution: Slackware 10 & 10.1
Posts: 149

Rep: Reputation: 15
Welcome to the world of UNIX/Linux!!

umask doesn't mean unmask - although you'd think it should. I don't know where the 'u' of umask comes from but no doubt a grizzly-haired UNIX-wizard will enlighten us all one day.

As for the umask command - it sets the default permissions for newly created files, just as shubb stated. On my Slackware 10.0 box, in /etc/profile the default is set to 022 in order to prevent files being group and world writable. This is quite nice actually from a security perspective because it helps make it harder for any intruder to write log files in ways that obscure their tracks. Mind you, if they are inside your box, they probably won't be put off by that!! I have found that using something like
Code:
chattr +i
and
Code:
chattr +a
very useful to protect key files. The first one protects a file from being altered in any way and the second allows for files to be appended to only, unless given express permissions to do so by root.
 
Old 08-18-2005, 04:21 PM   #10
saman007uk
Member
 
Registered: Dec 2003
Location: ~root
Distribution: Debian
Posts: 363

Rep: Reputation: 32
That should be good enough for a home system. However, for further customization of file premissions look at Access Control Lists (ACL), which implents file premissions similar and even more flexible than that of windows.

POSIX Access Control Lists on Linux
 
Old 08-18-2005, 04:26 PM   #11
czon
Member
 
Registered: Aug 2005
Posts: 39

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by tireseas
umask doesn't mean unmask - although you'd think it should.
ok then.. my brain still dont work.. just another brainfart

Quote:
default is set to 022 in order to prevent files being group and world writable. This is quite nice actually from a security perspective because it helps make it harder for any intruder to write log files in ways that obscure their tracks
this sounds good.. if i want it this way what do i have to do?
remeber i still want my /home/* totally locked down

Quote:
I have found that using something like

code:

chattr +i

and

code:

chattr +a

very useful to protect key files. The first one protects a file from being altered in any way and the second allows for files to be appended to only, unless given express permissions to do so by root.
this works in debian too? just type chattr in consol?

Quote:
If you put the following command in your .bashrc or .bash_profile, then no:
witch one is it? first or second? and where are those 2 files?


and yes im a newbie... dont ask

Last edited by czon; 08-18-2005 at 04:46 PM.
 
Old 08-18-2005, 05:49 PM   #12
saman007uk
Member
 
Registered: Dec 2003
Location: ~root
Distribution: Debian
Posts: 363

Rep: Reputation: 32
Quote:
this works in debian too? just type chattr in consol?
Yes. Although, I can't imagining you using chattr in your homedirectory on a home PC. chattr is noremally used on log files or some binaries on servers (e.g. the .bash_history log-file).
Code:
witch one is it? first or second? ;) and where are those 2 files?
Eitehr of these would work, the files are under your home-directory. You can also change these settings in /etc/login.defs (as root, of course) so that other users have the same settings.
 
Old 08-18-2005, 07:48 PM   #13
shubb
Member
 
Registered: Oct 2003
Location: San Francisco
Distribution: Slackware 13.37
Posts: 150

Rep: Reputation: 16
czon, to answer your question of why you use 077 instead of 700, is because the umask is the opposite binary values of what you want the files to be. Dont ask me why, but thats how it is.

Say for example, you want all files to have 754 access properties (rwx for owner, r-x for group, r-- for everyone else).

You figure out the binary values for each number:
7 = 111
5 = 101
4 = 100

Then you flip the ones and zeros, and that is the value you use for your umask command.

000 = 0
010 = 2
011 = 3

So the command to put in the profile is 'umask 023'

If you want NO other user to be able to see ANYTHING in your home directory, then use the "umask 077" in your profile, and run the command "chmod -R 700 ~/" to change the permissions for all the files and directories in your home.
 
Old 08-18-2005, 08:19 PM   #14
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,004
Blog Entries: 11

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
To the OP:

Please do not post the same thread in more than one forum. Picking the most relevant forum and posting it once there makes it easier for other members to help you and keeps the discussion all in one place.

http://www.linuxquestions.org/rules.php


This thread has been reported for closure.
 
Old 08-18-2005, 09:55 PM   #15
czon
Member
 
Registered: Aug 2005
Posts: 39

Original Poster
Rep: Reputation: 15
thx alot saman007uk and shubb think i got it now


Quote:
Originally posted by Tinkster
To the OP:

Please do not post the same thread in more than one forum. Picking the most relevant forum and posting it once there makes it easier for other members to help you and keeps the discussion all in one place.

http://www.linuxquestions.org/rules.php


This thread has been reported for closure.
Tinkster, if you bother to read both threads you will find out that i was first posting in newbie forum, BUT i got i got "help" from a guy that gave me wrong command and i got locked out from my linux account and had to boot up windoze to keep contact with the forum and my online HOWTO's.
Therefor i posted same question again, but this time in Debian just to get help from others with same OS as me.. if you really have to close one, close the thread in newbie forum, and i hope you can understand why i broke the forum rules this time.

thanks czon
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
lock /home for other users? czon Linux - Newbie 18 08-22-2005 12:08 PM
users are lock out rude_reality Linux - Hardware 9 06-17-2005 01:24 PM
how would i safely lock users to thier home dir? f1uke Linux - Security 2 07-22-2003 02:23 AM
Lock user in their home dir MarleyGPN Linux - Software 1 04-26-2003 06:12 AM
SSH lock users to the Home Directory jasonweb Linux - Security 2 04-11-2003 07:20 PM


All times are GMT -5. The time now is 03:07 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration