4
2
I just created new user account, but the new user is able to access all the directories structure (including other's home directories). I'd like to limit the user to access ONLY his home directory (and nothing "above"). How do I do this?
4
2
I just created new user account, but the new user is able to access all the directories structure (including other's home directories). I'd like to limit the user to access ONLY his home directory (and nothing "above"). How do I do this?
3
Set the modes on all home directories to 0700.
Optionally, set the default umask to 077
. In Ubuntu, edit the "umask 022
" line in /etc/profile
. Optionally, update PAM configuration in /etc/pam.d/common-session
(pam_umask.so umask=077 usergroups
).
Optionally, chmod /etc/skel
and update /etc/adduser.conf
(line "DIR_MODE=0755
") to 0700.
You cannot restrict a user to "home directory and nothing \"above\"" without a lot of headache, and it does not make sense either (for me, at least):
It is write access you should be afraid of, and the default permissions already prevent writing anywhere except a few locations.
1
This thread is little bit old but anyways you can restrict the users (very restrictive) to home directory by changing the bash shell to rbash if you really want it. By this way the user can't be able to use cd command. Or change the home directory owner as mentioned above. But remember that the user can execute bash so perform restrictive settings...
ok, what are these "few locations"?! It's quite important for me. – migajek – 2011-02-20T21:05:47.153
@vic:
find / -xdev -type d -a \( -path "$HOME" -prune \) -o \( -writable -a -executable \) -ls 2>/dev/null
# this will list directories that you have write access to. – user1686 – 2011-02-20T21:17:25.7271The few locations are files where passwords are stored in clear text, or other sensible data. For example, if you are using vpn and the pptp-linux packet. The password will be stored in /etc/ppp/pap-secrets or /etc/ppp/chap-secrets or in an folder above. Wich places this are depends really on your setup and your software. But in general the default rights for all files are set appropriate. – Darokthar – 2011-02-20T21:36:56.883
as i said: "But in general the default rights for all files are set appropriate.". – Darokthar – 2011-02-20T22:14:40.610