Ubuntu: limiting user account only to access his home dir

Set the modes on all home directories to 0700.

Optionally, set the default umask to 077. In Ubuntu, edit the "umask 022" line in /etc/profile. Optionally, update PAM configuration in /etc/pam.d/common-session (pam_umask.so umask=077 usergroups).

Optionally, chmod /etc/skel and update /etc/adduser.conf (line "DIR_MODE=0755") to 0700.

You cannot restrict a user to "home directory and nothing \"above\"" without a lot of headache, and it does not make sense either (for me, at least):

To execute any program, the user must have 'read' access to it.
To use shared libraries, a program must have 'read' access to them.
To read the system-wide configuration files and resources, 'read' access is needed too.

It is write access you should be afraid of, and the default permissions already prevent writing anywhere except a few locations.

user1686

Posted 2011-02-20T20:49:25.227

Reputation: 283 655

ok, what are these "few locations"?! It's quite important for me. – migajek – 2011-02-20T21:05:47.153

@vic: find / -xdev -type d -a $ -path "$HOME" -prune $ -o $ -writable -a -executable $ -ls 2>/dev/null # this will list directories that you have write access to. – user1686 – 2011-02-20T21:17:25.727

1The few locations are files where passwords are stored in clear text, or other sensible data. For example, if you are using vpn and the pptp-linux packet. The password will be stored in /etc/ppp/pap-secrets or /etc/ppp/chap-secrets or in an folder above. Wich places this are depends really on your setup and your software. But in general the default rights for all files are set appropriate. – Darokthar – 2011-02-20T21:36:56.883

as i said: "But in general the default rights for all files are set appropriate.". – Darokthar – 2011-02-20T22:14:40.610

Ubuntu: limiting user account only to access his home dir

Answers