2
2
I'm setting up a Linux machine thet'll be shared by several users, some of whom will be admins. Is there a way to restrict access to a user's home folder (encrypt or block completely) for other regular/admin users?
sa125
Posted 2010-08-17T05:10:11.260
Reputation: 916
3
Deny permissions take precedence over allow permissions.
Beyond that, several users shouldn't have administrative accounts. Give them the ability to escalate their privileges as necessary, but default access for everyone should be the same.
EDIT: What I mean by this is run chmod 700 /home/username on it.
Second edit due to very astute catch by @whitequark
JBirch
Posted 2010-08-17T05:10:11.260
Reputation: 456
3
The correct way to protect all directories in a home directory is:
find $HOME -type d -exec chmod go-rwx "{}" \;
That will remove permissions to run ls ('r'), to create files ('w') and to cd into a directory (x) for the other members of the user's group and everyone else.
Aaron Digulla
Posted 2010-08-17T05:10:11.260
Reputation: 6 035
1
The user's home folder is blocked by default on any linux system. So you won't have to worry about that.
user46459
Posted 2010-08-17T05:10:11.260
Reputation: 11
Blocked so that "admin" users can't see? – Neal – 2010-08-17T05:59:02.423
root can do anything by default. But you can install a secured version of Linux (like SELinux) where you can restrict root, too. – Aaron Digulla – 2010-08-17T07:17:40.260
@Aaron: and who would have access to SELinux policy? That's all about the human factor. – whitequark – 2010-08-17T07:25:15.967
@whitequark: The human factor in this case is that the data is more than a cd away. – Aaron Digulla – 2010-08-17T08:06:42.967
@Aaron: Did we talked about restricting root? When people go sudo chmod-ing, the data is already farther than that. – whitequark – 2010-08-17T08:42:46.747
@whitequark: That's why root should only allow sudo to people they can trust. Let's say it different: If I compare the amount of bad people can do to the amount of bad they do, we're still pretty good. – Aaron Digulla – 2010-08-17T09:03:51.703
@user46459 Really? All the systems I can ever recall installing have started with world read/execute permissions on user home directories, including multiple server and desktop distros. – Soren Bjornstad – 2019-04-17T00:20:49.197
1so
chmod -R go-r /home/someusershould do it? – sa125 – 2010-08-17T05:51:41.477I'm more of a
chmod 700 /home/someuserguy myself. – JBirch – 2010-08-17T06:32:29.510@sa125: Be careful with the -R: It will also change permissions for all files. Also, don't forget the -x flag. If that is set, other users can still
cdinto the directory (even though they can't list it). – Aaron Digulla – 2010-08-17T07:14:54.2774Don't do that! By doing
chmod -R 700, you'll make all files in your home directory executable. At least it will cause problems with opening them in file managers. – whitequark – 2010-08-17T07:24:10.180thanks everyone - I ended up using
chmod -R go-rwx /home/someuser, then manually added permissions to folders that users will want to share (Music, Shared, Documents). – sa125 – 2010-08-17T07:46:33.650Actually, that's very important. I have a weird setup where that's what I want predominately more than none. Force of habit. I'll modify it to mention so. – JBirch – 2010-08-17T07:48:02.147