2
2
I'm setting up a Linux machine thet'll be shared by several users, some of whom will be admins. Is there a way to restrict access to a user's home folder (encrypt or block completely) for other regular/admin users?
2
2
I'm setting up a Linux machine thet'll be shared by several users, some of whom will be admins. Is there a way to restrict access to a user's home folder (encrypt or block completely) for other regular/admin users?
3
Deny permissions take precedence over allow permissions.
Beyond that, several users shouldn't have administrative accounts. Give them the ability to escalate their privileges as necessary, but default access for everyone should be the same.
EDIT: What I mean by this is run chmod 700 /home/username
on it.
Second edit due to very astute catch by @whitequark
3
The correct way to protect all directories in a home directory is:
find $HOME -type d -exec chmod go-rwx "{}" \;
That will remove permissions to run ls
('r'), to create files ('w') and to cd
into a directory (x
) for the other members of the user's group and everyone else.
1
The user's home folder is blocked by default on any linux system. So you won't have to worry about that.
Blocked so that "admin" users can't see? – Neal – 2010-08-17T05:59:02.423
root
can do anything by default. But you can install a secured version of Linux (like SELinux) where you can restrict root, too. – Aaron Digulla – 2010-08-17T07:17:40.260
@Aaron: and who would have access to SELinux policy? That's all about the human factor. – whitequark – 2010-08-17T07:25:15.967
@whitequark: The human factor in this case is that the data is more than a cd
away. – Aaron Digulla – 2010-08-17T08:06:42.967
@Aaron: Did we talked about restricting root
? When people go sudo chmod
-ing, the data is already farther than that. – whitequark – 2010-08-17T08:42:46.747
@whitequark: That's why root should only allow sudo
to people they can trust. Let's say it different: If I compare the amount of bad people can do to the amount of bad they do, we're still pretty good. – Aaron Digulla – 2010-08-17T09:03:51.703
@user46459 Really? All the systems I can ever recall installing have started with world read/execute permissions on user home directories, including multiple server and desktop distros. – Soren Bjornstad – 2019-04-17T00:20:49.197
1so
chmod -R go-r /home/someuser
should do it? – sa125 – 2010-08-17T05:51:41.477I'm more of a
chmod 700 /home/someuser
guy myself. – JBirch – 2010-08-17T06:32:29.510@sa125: Be careful with the -R: It will also change permissions for all files. Also, don't forget the -x flag. If that is set, other users can still
cd
into the directory (even though they can't list it). – Aaron Digulla – 2010-08-17T07:14:54.2774Don't do that! By doing
chmod -R 700
, you'll make all files in your home directory executable. At least it will cause problems with opening them in file managers. – whitequark – 2010-08-17T07:24:10.180thanks everyone - I ended up using
chmod -R go-rwx /home/someuser
, then manually added permissions to folders that users will want to share (Music, Shared, Documents). – sa125 – 2010-08-17T07:46:33.650Actually, that's very important. I have a weird setup where that's what I want predominately more than none. Force of habit. I'll modify it to mention so. – JBirch – 2010-08-17T07:48:02.147