LinuxQuestions.org - Limiting User Access

Set the other directories' permissions so that the "other" users (you can set permissions to "owner user", "owner group" and "others") don't have any permissions (especially not read) on them, and that's done. Then only the directory owners, or users who belong to a group who has permissions to read the directory, can read it (same goes for write/execute). Then if you want that user to have access to some other directories, you can either set their "other" permissions suitable, or if that's not possible (like it typically isn't, because that would mean allowing anybody read them), add the user to a group that has read permissions on that directory.

In other words: basically there are three levels of permissions on every file (directory too) on the system: u (owner user), g (group) and o (other users). Each of these can be set permissions of r (read), w (write) and x (execute). In addition there are some other bits you can set, like suid bit (set user id), but they're not relevant now - read a good book or articles on the web about them if you like to know more (you can read about user permissions as well).

Any user on the system is either an owner of a file (affected by 'u'), belongs to a group that has permissions set for a file (affected by 'g') or is "just another user" (affected by 'o'). Combining these you can get different users different sorts of access to files (including directories). You can set ownerships either graphically (right-click, select Properties) or using commands chown (ownership change), chgrp (group-ownership change) and chmod (permissions change). For example

Code:

chown julia /home/julia

Would set user "julia" the owner of /home/julia. Then if you did

Code:

ls -ld /home/julia

you would see the permissions of that file (directory), for example drwxr-xr-- (or if it was a regular file and not a directory, -rwxr-xr--; note the 'd' in the beginning noting it's a directory). There's, if you don't mind the first letter, nine letters that tell the permissions of that file - three first for the owner user, three in the middle for the group and the last three for all other users (for all there are read, write and execute permissions, or a dash '-' if there is no permission for that). 'rwx' in the beginning means that the owner user has read, write and execute access for that file (directory); 'r-x' in the middle means that users who belong to the group that this file belongs to have read and execute permissions, but no write (there's a dash where there could be 'w'). And in the end, 'r--' means all other users have read permissions, but no write nor execute permissions for that file.

You can change permissions with chmod like this:

Code:

chmod o+rwx /home/julia

chmod g+w /home/julia

chmod o-r /home/julia

First command would add read, write and execute permissions for the owner of /home/julia. Second would add write permission for the group for that file (affecting all users who belong to that group), and the last would remove read permissions from other users for that file. Simple.

You can also use numbers to represent the permissions, which makes it shorter if you remember them (or calcaulate them very quickly in your head); instead of nine letters you can use three digits to set full permissions (user/group/others) on a file, for example

Code:

chmod 700 /home/julia

means the same as

Code:

chmod u+rwx,g-rwx,o-rwx

The numbers are actually a binary presentation of the permissions; zero means "---", seven "rwx". So one number sets all three permissions for one of the user, group or others.

Just a note: you need to allow read access to some system directories, like bin/ directories, or otherwise let the user access certain programs or otherwise the user can't do anything, maybe even log in (it depends) :) With chroot (mentioned in the above post) you can change what the user "sees" as the root directory, but be aware: it's not bullet-proof, there are several ways to get around it and hands on the real root directory.