Shared Linux machine - block home folder access to other users?
Solution 1
Deny permissions take precedence over allow permissions.
Beyond that, several users shouldn't have administrative accounts. Give them the ability to escalate their privileges as necessary, but default access for everyone should be the same.
EDIT: What I mean by this is run chmod 700 /home/username
on it.
Second edit due to very astute catch by @whitequark
Solution 2
The correct way to protect all directories in a home directory is:
find $HOME -type d -exec chmod go-rwx "{}" \;
That will remove permissions to run ls
('r'), to create files ('w') and to cd
into a directory (x
) for the other members of the user's group and everyone else.
Solution 3
The user's home folder is blocked by default on any linux system. So you won't have to worry about that.
Related videos on Youtube
sa125
Updated on September 17, 2022Comments
-
sa125 over 1 year
I'm setting up a Linux machine thet'll be shared by several users, some of whom will be admins. Is there a way to restrict access to a user's home folder (encrypt or block completely) for other regular/admin users?
-
sa125 almost 14 yearsso
chmod -R go-r /home/someuser
should do it? -
Neal almost 14 yearsBlocked so that "admin" users can't see?
-
JBirch almost 14 yearsI'm more of a
chmod 700 /home/someuser
guy myself. -
dingzhihu almost 14 years@sa125: Be careful with the -R: It will also change permissions for all files. Also, don't forget the -x flag. If that is set, other users can still
cd
into the directory (even though they can't list it). -
dingzhihu almost 14 years
root
can do anything by default. But you can install a secured version of Linux (like SELinux) where you can restrict root, too. -
whitequark almost 14 yearsDon't do that! By doing
chmod -R 700
, you'll make all files in your home directory executable. At least it will cause problems with opening them in file managers. -
whitequark almost 14 years@Aaron: and who would have access to SELinux policy? That's all about the human factor.
-
sa125 almost 14 yearsthanks everyone - I ended up using
chmod -R go-rwx /home/someuser
, then manually added permissions to folders that users will want to share (Music, Shared, Documents). -
JBirch almost 14 yearsActually, that's very important. I have a weird setup where that's what I want predominately more than none. Force of habit. I'll modify it to mention so.
-
dingzhihu almost 14 years@whitequark: The human factor in this case is that the data is more than a
cd
away. -
whitequark almost 14 years@Aaron: Did we talked about restricting
root
? When people gosudo chmod
-ing, the data is already farther than that. -
dingzhihu almost 14 years@whitequark: That's why root should only allow
sudo
to people they can trust. Let's say it different: If I compare the amount of bad people can do to the amount of bad they do, we're still pretty good. -
Soren Bjornstad about 5 years@user46459 Really? All the systems I can ever recall installing have started with world read/execute permissions on user home directories, including multiple server and desktop distros.