lock other users from you /home
 

is there a way to lock all /home/ from other users? so one user cant see what the other user got in his /home? or do i have to "chmod" all folders and files one by one?

Well, if other users are denied read, write, and executable permission on a directory, then they won't be able to access stuff inside that directory anyhow, regardless of permissions of those stuff.

You can always recursively chmod all files in a directory using "chmod -R" rather than "one by one".

Yes - this works on my machines, so no good reason to think it won't work on yours.

Try this (you don't need to be root):
Then test it. If it doesn't work as an ordinary user, then do it again as root.

it works ;) thx alot

one more tho, do i have to do this command eveytime i got new files im my /home/ or do new files get the right chmod now?

If you put the following command in your .bashrc or .bash_profile, then no:

ok, but please tell me more about the commande so i can learn

What the "umask 077" does is to set it so that all new files and directories created by you automatically have the 700 access permissions. The 700 mask means that your user has read/write/excecute (7) for the file, and the group and other users have no access (0). If you type "ls -al" on a directory, all the files will have some letters on the left side that correspond to the access permissions for the file. The first letter is for special files, like directories. The three sets of 'rwx' correspond to read/write/excecute for the user, group, and other users. If you convert the 7 (from the 700 above) into binary, the value is 111. This means that the value for read/write/excecute for that user are all true. For the example below, the file is a directory (d), the user has permissions of 7 (rwx) the group has permissions of 5 (r-x) and the other users have permissions 4 (r--).

drwxr-xr-- 7 root root 4096 2005-07-22 16:39 ..

Is this clear?

this is clear ;) thx
only one thing tho (theres always another question lol)

if you want access mask "700" or whatever its called.. why type umask 077?
whu dont "umask 700"? or does "u" stand for unmask so it remove permissions?

wow i think im right here ^^ my brain works yey

Welcome to the world of UNIX/Linux!! :D

umask doesn't mean unmask - although you'd think it should. I don't know where the 'u' of umask comes from but no doubt a grizzly-haired UNIX-wizard will enlighten us all one day.

As for the umask command - it sets the default permissions for newly created files, just as shubb stated. On my Slackware 10.0 box, in /etc/profile the default is set to 022 in order to prevent files being group and world writable. This is quite nice actually from a security perspective because it helps make it harder for any intruder to write log files in ways that obscure their tracks. Mind you, if they are inside your box, they probably won't be put off by that!! I have found that using something like and very useful to protect key files. The first one protects a file from being altered in any way and the second allows for files to be appended to only, unless given express permissions to do so by root.

That should be good enough for a home system. However, for further customization of file premissions look at Access Control Lists (ACL), which implents file premissions similar and even more flexible than that of windows.

POSIX Access Control Lists on Linux

ok then.. my brain still dont work.. just another brainfart :(

this sounds good.. if i want it this way what do i have to do?
remeber i still want my /home/* totally locked down

this works in debian too? just type chattr in consol?

witch one is it? first or second? ;) and where are those 2 files?


and yes im a newbie... dont ask :D

Yes. Although, I can't imagining you using chattr in your homedirectory on a home PC. chattr is noremally used on log files or some binaries on servers (e.g. the .bash_history log-file).
Eitehr of these would work, the files are under your home-directory. You can also change these settings in /etc/login.defs (as root, of course) so that other users have the same settings.

czon, to answer your question of why you use 077 instead of 700, is because the umask is the opposite binary values of what you want the files to be. Dont ask me why, but thats how it is.

Say for example, you want all files to have 754 access properties (rwx for owner, r-x for group, r-- for everyone else).

You figure out the binary values for each number:
7 = 111
5 = 101
4 = 100

Then you flip the ones and zeros, and that is the value you use for your umask command.

000 = 0
010 = 2
011 = 3

So the command to put in the profile is 'umask 023'

If you want NO other user to be able to see ANYTHING in your home directory, then use the "umask 077" in your profile, and run the command "chmod -R 700 ~/" to change the permissions for all the files and directories in your home.

To the OP:

Please do not post the same thread in more than one forum. Picking the most relevant forum and posting it once there makes it easier for other members to help you and keeps the discussion all in one place.

http://www.linuxquestions.org/rules.php


This thread has been reported for closure.

thx alot saman007uk and shubb ;) think i got it now


Tinkster, if you bother to read both threads you will find out that i was first posting in newbie forum, BUT i got i got "help" from a guy that gave me wrong command and i got locked out from my linux account and had to boot up windoze to keep contact with the forum and my online HOWTO's.
Therefor i posted same question again, but this time in Debian just to get help from others with same OS as me.. if you really have to close one, close the thread in newbie forum, and i hope you can understand why i broke the forum rules this time.

thanks czon