Hello,
Suppose there are two user accounts. The problem is, one user is able to access the home folder of another user.
How do I restrict a user from accessing the home folder of another user?
The DE in this case is KDE Plasma.
You don’t.
The other user can do this himself by turning off the “other” permission of his/her home directory.
chmod og-rwx $HOME
I can see that it would be a useful feature for KDE (and other DEs) to provide as a configurable graphical user setting.
There is. Use the file manager, Dolphin, right click on the Home “Place”, and then you can set the access permissions.
Yes, that is a means I guess. Not sure that it would be so obvious to new users though.
For a long time SUSE defaulted to adding every new user to the group users
user@uefi:~> id -a
uid=1000(user) gid=100(users) groups=100(users)
user@uefi:~>
so others permissions may be not enough.
user@uefi:~> ll -d .
drwxr-xr-x 1 user users 1400 Jul 29 09:45 .
user@uefi:~>
Actually, it probably should be considered a bug in installer, but it was long ago and is no more relevant.
Default behaviour…
cat /etc/default/useradd
# useradd defaults file
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
USRSKEL=/usr/etc/skel
CREATE_MAIL_SPOOL=yes
More information:
Teach your users about file ownership by user and group and about permissions.
And their implementation in day to day life using commands like chmod (or the equivalent from a GUI file manager) and umask (to be put in ~/.profile).
1 Like
Try the suggestion in the Official Security Docs:
Which has nothing to do with the OP’s request. If /home is on a different file system or not will not change anything on the ownership/permissions model of Unix/Linux.
1 Like
Thanks, selecting the home folder and restricting the other user from accessing it did the job.
Yes, the solution for a two user system is OK but, if you’re having to deal with more than around about 3 or 4 users then, the following may be more appropriate:
- Try to figure out if the users can be sorted into groups.
- Realise that, there’s nothing preventing the insertion of Group directories below the ‘/home’ directory and then, moving each user’s login directory into the appropriate Group directory.
Yes, yes – you’ll have to change each user’s login directory entry in ‘/etc/passwd’ or LDAP.
And, you’ll also have to create some new User Groups in addition to the usual “users” Group and, move each user to the appropriate Group … - You’ll also have to create some pseudo Users to own each Group directory –
I often use UID values greater than 59900 and GID values greater than 59900 for these users.
They also all have “/usr/sbin/nologin” as their login shell and, empty and locked password values. - You then setup the Group directories such that, only users who are members of a particular group have access to the Group’s directory tree.
Each individual user in a particular group can then decide if, other users in the group are allowed to access THEIR home directory or, not …
Please note that, you will not be able to manage the pseudo users and their groups with higher UID and GID values with YaST – there’s a limit in YaST which prevents this.
Which means you didn’t bother to read the specific section of the docs I linked. You just read the generic blurb that summarized the page. I am actually trying to help by giving a link to a real solution to a real problem. However I can’t do your home work for you.
Good job not bothering!
I guess it is actually worth a discourse bug report. It is not the first time this happens, and indeed, presenting text from the top of page for a link pointing inside of this page may be highly misleading and probably does more harm than helps. It would be better to not show any text at all.
3 Likes
The Section 11.3 of the Part II Local Security section of the openSUSE Security Guide – “Changing home directory permissions from 755 to 700” – implies one of the basic issues around tightening up the security of user’s Home directories:
- Almost without an exception, the directories in the top-level directory “/” are owned by the user “root” – GID: “root”.
And, these directories have to have “other” access rights if a normal user is going to be able to do anything on the system.
Given that:
- Anybody can read ‘/etc/passwd’.
- Access rights to a LDAP server can be limited.
Regardless of what is done to limit access to the directory ‘/home’, if the machines users are being administered via the local mechanism – ‘/etc/passwd’ – anyone can determine where the login directories of the users are located and, the names of those directories.
- With LDAP, that possibility can be dealt with …
And further, with LDAP and, user Group directories in ‘/home’, users who are not included in a specific group will not be able to determine the names of the login directories of users who are not members of “their” group …
- With ‘/etc/passwd’ as the preferred user administration method, this is not true …
Which is why, I use the method of an extra “Group” directory layer within the ‘/home’ directory tree …
What good does knowing the path the user’s home folder do if you cannot read, write, or execute anything there? The topic isn’t about hiding where a home folder is located but preventing access to it. In that case I feel that chmod is the simplest solution. If the users in question need access to sudo then lock them down to the commands they need to run by editing /etc/sudoers with the visudo command.
Yes, OK, true.
But, the next step is to not only prevent access but, to also inhibit discovering the system’s users – meaning human users who login to the system …
Maybe for you, but that was not the original question. That question was only about a user that wants to protect his files against access by another user. Which is of course done since ~50 years by setting the permissions on your files .
Apparently the whole concept of Unix file ownership and permissions was unknown by the user as well as his system manager.
It is explained to the system manager. I assume he will teach his user(s). End of topic.