Re: Home directory viewable from another profile

To: debian-user@lists.debian.org
Subject: Re: Home directory viewable from another profile
From: Rob Owens <rowens@ptd.net>
Date: Thu, 22 Jul 2010 17:27:02 -0400
Message-id: <[🔎] 20100722212702.GB11199@aurora.owens.net>
In-reply-to: <[🔎] 4C42BF4E.7040601@gmail.com>
References: <[🔎] 4C421257.1010707@gmail.com> <[🔎] 20100717211910.GA21374@dementia.proulx.com> <[🔎] 4C42BF4E.7040601@gmail.com>

On Sun, Jul 18, 2010 at 09:46:06AM +0100, AG wrote:
> On 17/07/10 22:19, Bob Proulx wrote:
>> AG wrote:
>>    
>>> I have created another account for someone who will need to use my
>>> computer for a while.  However, when checking this, I found that my own
>>> files are viewable from this second account.
>>>      
>> By default files in the home are readable but not writable.
>>
>>    
>>> How do I set the permissions so that the contents of my own /home/ag
>>> account are not viewable from the new user account?
>>>      
>>    $ chmod o-rwx ~/
>>
>> That is 'o' for 'other' minus read-write-execute permissions.  You can
>> run that recursively if you like with 'chmod -R'.
>>
>>    
>>> For obvious reasons, I want to be careful about the permissions I
>>> set so I don't lock myself out.  I think that it is chown 700
>>> /home/ag -R but can someone please confirm that this will do what I
>>> want before I screw things up.
>>>      
>> I commend you for asking.  Using 'chown 700 /home/ag -R' would
>> probably fail but does something completely different on two counts.
>> One is that you want chmod not chown.  'chown 700' would try to change
>> the ownership to user number 700, but would probably fail since only
>> root can give away file ownership[1].
>>
>> But then if you had actually used 'chmod 700' it would be bad because
>> that hard sets the execute bit on every file!  You don't want that
>> either.  Also you really have no reason to lock out your own group, it
>> is your own group after all, so leave off the group restriction.  Read
>> up on UPG (user private groups) for more information.
>>
>> Using the symbolic modes is the modern way (modern as in as of around
>> twenty years ago modern) and avoids the trap of hard setting all of
>> the bits.  I think they are easier for people to understand too.  If
>> you want to do it the old way with hard numbers then using 'find' is
>> the way to go.  And if you have messed things up then some creative
>> find commands can repair things.
>>
>> Bob
>>
>> [1] http://www.gnu.org/software/coreutils/faq/#Why-can-only-root-chown-files_003f
>>    
> Bob
>
> Thanks for the excellent advice.  I executed the command you suggested  
> and did so recursively and that has achieved the result I wanted.
>
> Thanks for the information as well.  My head always gets a little  
> muddled when it comes to setting permissions, so I'm glad I asked first.
>
You don't need to do it recursively.  Simply removing the read and
execute permissions for "other" on your home directory is good enough.
This prevents anyone else from looking at any files within your home
directory, regardless of what the permissions on those specific files
is.

-Rob

Reply to:

References:
- Home directory viewable from another profile
  - From: AG <computing.account@googlemail.com>
- Re: Home directory viewable from another profile
  - From: Bob Proulx <bob@proulx.com>
- Re: Home directory viewable from another profile
  - From: AG <computing.account@googlemail.com>

Prev by Date: Re: python-twisted-core on my machines inexplicably still old, breaking installation of python-twisted
Next by Date: Re: python-twisted-core on my machines inexplicably still old, breaking installation of python-twisted
Previous by thread: Re: Home directory viewable from another profile
Next by thread: Confirming submission of bug report
Index(es):
- Date
- Thread