Make home directory private to other users

wilberto83cg · 08-22-2006, 09:30 AM

Hello:

I want to make other users home directory invisible, so when someone log on the machine they just see their home directory.

homey · 08-22-2006, 09:40 AM

I don't know about invisible but, I make it locked so nobody can see what's inside.
For example:

Code:

chmod 750 /home/fred  ## this makes the users folder forbidden to others.

lordtweety · 08-22-2006, 09:42 AM

Try this at a console:

Code:

$ su
(here enter you root password)
# chmod 700 /home/(user)

Not 100% sure if I remeber this correctly but that should make the directory only visible by the owner of that directory.

druuna · 08-22-2006, 09:43 AM

Hi,

@Homey: Shouldn't that be 700 instead of 750?

If fred's group is users and druuna's group is users I will be able to see/browse fred's homedir if it is 750. If it is 700 I won't be able to go/browse fred's homedir.

stress_junkie · 08-22-2006, 10:27 AM

Your users need execute permission on the /home directory to see through that and into their own login directory. Try this:

Code:

root> ls -ld /home
drwxr-xr-x  12 root root 1024 Aug 13 14:47 /home
root> chmod -c o=x /home
mode of `/home' changed to 0751 (rwxr-x--x)
root>

$ cd
$ pwd
/home/user01
$ ls ..
/bin/ls: ..: Permission denied
$ ls
Desktop  tmp
$

Notice that the /home directory is owned by root:root. This then requires that the 'other' group be able to see through the /home directory. All of the end user accounts fall into this category. So in my example the normal user account named 'user01' can see his own directory, as demonstrated by the second 'ls' command, but cannot see the contents of the /home directory, as demonstrated by the first ls command.

You could also take a slightly more elaborate course by having a group for each user account. Thus, the user account named user01 would have a corresponding group named user01. The user01 account belongs to the user01 group. All user accounts still belong to the users group. Then you can have the /home directory owned by root:users with the permission 710. This would give the users group permission to see into the /home directory but accounts like the nobody account could not see into the /home directory. This is more secure. This is the way that I set up my systems. You would execute the following commands to implement this scheme.

Code:

root> chgrp users /home
root> chmod -c g=x,o-rwx /home
mode of `/home' changed to 0710 (rwx--x---)
root> ls -ld /home
drwx--x---  12 root users 1024 Aug 13 14:47 /home
root>

Then you make your user home directories owned by the user account and its corresponding group account. Here is an example.

Code:

root> ls -l /home
drwx------  29 user01    user01    2048 Aug 21 15:16 user01
drwx------  38 user02    user02    3072 Aug 22 08:13 user02
drwx------  21 user03    user03    1024 Aug 18 07:18 user03
root>

Lastly, you could use access control lists (ACLs). Avoid this. ACLs are useful for making very fine tuned access control in complicated file access environments. Usually you can accomplish what you need to accomplish by using the normal Unix style file permissions and user groups.