Special directory permissions for new user

Question

I need to add special permission for new shell user. After using adduser command new, the user can read all directories into shell account.

Command adduser user1 brings us new user which has own shell directory /home/user1. Now, I need make permissions for user1 with full access only for its corresponding /home/user1 folder. Each time when user1 goes into /home folder, the user should not see anything from this folder. Same behaviour should be when user1 goes into main shell directory where we have folders etc, home, usr, var etc.

Now when I log in as user1 I can read all shell directories e.g. via Midnight Commander.

Can anybody help to set this special permissions? Thank You in advance.

Answer 1

To use a system a user must be able to access/read many parts of the system. But he will not be able to write outside of his own home directory (i.e. /home/user1).

This of course should not apply to the home directories of other users. (Supposedly for convenience) Ubuntu comes with a default setting where everybody has read access to all home directories of other users.

ls -l /home will show something like

drwxr-xr-x  54 user      user      4096 Jan 25 17:17 user
drwxr-xr-x  52 user1     user1     4096 Dez 21 17:47 user1
drwxr-xr-x 198 another   another  12288 Jan 25 17:19 another

Look at the permissions at the beginning of each line:

drwxr-xr-x
       ^^^ 

The marked part means: "Everybody else can read the directory and cd into it"

You can prevent this by issuing

sudo chmod 0700 /home/*

check with ls -l /home and you will see something like

drwx------  54 user      user      4096 Jan 25 17:17 user
drwx------  52 user1     user1     4096 Dez 21 17:47 user1
drwx------ 198 another   another  12288 Jan 25 17:19 another

Now no user will be able to see the contents of another user`s home directory (of course neither with Midnight Commander).

If you want to prevent this issue for newly added users there are several ways, depending on how you create the new user.

When you add new users with the GUI (System Settings/Users)

This takes the permissions on the home directory from the existing permissions on etc/skel. So

sudo chmod -v 0700 /etc/skel

will give the desired result.

When you add new users with adduser

Edit /etc/adduser.conf. Find the line

DIR_MODE=0755

and change it to

DIR_MODE=0750

Answer 2

You can do this using different permissions. Presumably, if you remove read permissions to /home for others and for the group. This way, only the superuser will have access to read.

I tested this by creating a new user for which I assigned a folder other than the default folder. As I was testing, I did in a folder other than my system's /home folder in case I messed up. Here is the step-by-step of what I did and it seems to have worked:

1. I created a folder /private_home
2. Under /private_home I created another folder called user1.
3. Created a standard user called user1.
4. Assigned folder /private_home/user1 as the home folder for the user using: sudo usermod -d /private_home/user1 user1. This moves the home folder of user1 from /home/user1 to /private_home/user1.
5. Then changed the access privileges to /private_home as follows: sudo chmod 711 /private_home.

Now, when login in as user1 using su user1 I logged into that user's folder /private_home/user1 but when I try cd .. I am able to get to that folder (the shell prompts shows that) but I have no permissions to read the folder contents. That is, when trying ls it says `Permission denied'.

Presumably you can do the same thing for all your users for that /private_home folder.

Having said so, I would not do this with / as you will run the risk to make your system unstable.

Note: I used some of the concepts in the answer in this post.