Hide/Don't list non-readable folders
Solution 1
In general, no. Only the permission of the (from your point of view) parent directories determine, whether its content can be listed by a particular user. This includes directory entries, that this user cannot open/read. The mechanism for SSH/SFTP access is the same as with local tools, since the SSH/SFTP server spawns a subprocess for each session and changes the ownership of the subprocess to the respective user, as soon as they're authenticated successfully.
Consider the following example:
david@localhost:~$ ls -la /home
dr-xr-xr-x 1 root root 80 Nov 10 09:05 .
drwxr-xr-x 23 root root 4,0K Dec 17 11:09 ..
drwxr-xr-x 1 guest guest 836 Sep 4 20:58 guest
drwxr-x--- 1 david users 4,2K Dec 14 22:07 david
drwx------ 1 root root 614 Nov 10 12:42 root
As you can see, I, david
, can list the content of /home
even though I am not its owner, since everybody can read it (see the permission mask in front of the .
entry). I can list the content of /home/guest
for the same reason. I can also list the content of /home/david
, since I'm its owner and the owner has read permission. However, I cannot list the content of /home/root
, since I'm not the owner and nobody but the owner has read permissions on that directory:
david@localhost:~$ ls /home/root
ls: cannot open directory /home/root: Permission denied
If one changed the ownership of /home
to remove read permission for non-owners, I could not list the content of /home
any longer:
david@localhost:~$ sudo chmod o-r /home
david@localhost:~$ ls -ld /home
drwxr-x--x 2 root root 40 Dez 17 21:17 /home
david@localhost:~$ ls -l /home
ls: cannot open directory /home: Permission denied
Though, I can still traverse /home
and read /home/david
, because the traverse permission (that's the semantic of the “execute” bit on directories) is still set on /home
(and /
):
david@localhost:~$ ls -l /home/david
total 732K
drwx------ 1 david users 4,2K Dec 14 22:07 .
dr-xr-x--x 1 root root 80 Nov 10 09:05 ..
drwx------ 1 david users 60 Aug 24 2014 .adobe
-rw------- 1 david users 83 Dec 6 19:49 .bash_aliases
-rw------- 1 david users 66 May 12 2011 .bash_completion
-rw------- 1 david users 703 Nov 23 05:41 .bash_exports
[etc...]
See Jakuje's answer for a possible alternative approach to your underlying aim.
Solution 2
I don't know about any way to do what you describe, but there is -d
option for openssh sftp-server
, which specifies users starting directory, which can solve your problem about
[...] to browse through the whole list of user folders to find his personal folder.
If you specify your sftp-server
such as:
Subsystem sftp internal-sftp -d /users/%u
(you need to omit /home/company-folder/
, since you are already chrooted there).
Related videos on Youtube
berriop
Updated on September 18, 2022Comments
-
berriop over 1 year
In a multi-user environment using Ubuntu server 14.04 as a shared drive
All users connect via SFTP using Filezilla/WinSCP and are chroot to
/home/company-folder/
Each user has also its own personal folder under
/home/company-folder/users/
. Eg./home/company-folder/users/username-1
,/home/company-folder/users/username-2
and so on...Now
username-1
can see other users personal folders (/home/company-folder/users/username-2
,/home/company-folder/users/username-3
, etc), he cannot access other user folders but he can see them listed.Question is: what can I do so users cannot see each others personal directory under
/home/company-folder/users/
? Is there anyway in Ubuntu-Linux to hide non-readable folders?Since in a system with 100+ users is not convenient for users to browse through the whole list of user folders to find his personal folder.
-
David Foerster over 8 yearsIn general, no. Only the permission of the parent directories determine, whether its content can be listed by a particular user.
-
David Foerster over 8 yearsSamba may be another option, that can definitely do something to that effect, if CIFS is a viable file access protocol for you case. On the other hand, I don't see, what's so bad about listing all user homes to everyone. This has the advantage, that users may share a subset of their files with other users.
-
-
David Foerster over 8 years@Jakuje: Done. My mistake. J and K are so close on the keyboard.
-
berriop over 8 yearsbut they still need to access /home/company-folder/ which also contains common folders (eg. /home/company-folder/projects), so specifying starting directory like that doesn't work. Anyway thanks for your reply.
-
berriop over 8 yearsthanks for your reply David, but that still not solving the issue as users cannot type commands to move between directories, neither guess the directory path, they are using Filezilla/WinSCP. I am a bit surprised that hiding folders from users without permission cannot be accomplish. I have also tried another way, mounting /home/company-folder into the user directory by: mount --bind /home/company-folder /home/company-folder/users/username-1 but this have to be done individually for every existing and new user, and I may need it to be done automatically when creating a new user.
-
David Foerster over 8 yearsMy university (and many other places) mount required network drives upon login and unmount it on logout. Maybe you can use a similar approach.
-
David Foerster over 8 years@berriop: What about an additional user for the shared folder?
-
Jakuje over 8 yearsOr some default symlinks from users own directories? It is not elegant, but it should work.