Ubuntu – Why can other users see the files in the home folder


I just added a new, underprivileged "desktop user," and I was surprised to discover that it can see the files in my home folder.

What is the rational for setting up such lax permissions?

Best Answer

A Public folder exists in your Home directory (/home/user) for sharing files with other users. If an other user wants to get access to this Public folder, the execute bit for the world should be set on the Home directory.

If you do not need to allow others to access your home folder (other humans or users like www-data for a webserver), you'll be fine with chmod o-rwx "$HOME" (remove read/write/execute from "other", equivalent to chmod 750 "$HOME" since the default permission is 750). Otherwise, you should change the umask setting too to prevent newly created files from getting read permissions for the world by default.

For a system-wide configuration, edit /etc/profile; per-user settings can be configured in ~/.profile. I prefer the same policy for all users, so I'd edit the /etc/profile file and append the line:

umask 027

You need to re-login to apply these changes, unless you're in a shell. In that case, you can run umask 027 in the shell.

Now to fix the existing permissions, you need to remove the read/write/execute permissions from other:

chmod -R o-rwx ~

Now if you decide to share the ~/Public folder to everyone, run the next commands:

  • chmod o+x ~ - allow everyone to descend in the directory (x), but not get a directory listing (r should not be added)
  • find ~/Public -type f -exec chmod o+r {} \; - allow everyone to read the files in ~/Public
  • find ~/Public -type d -exec chmod o+rx {} \; - allow everyone to descend into directories and list their contents

If you are use GNU coreutils (e.g. on Ubuntu, not on a embedded system having only busybox), then the previous two commands using find and chmod can be replaced by this single command that recursively makes folders and files readable (and additionally adds the execute (descend) bit for directories only):

chmod -R o+rX ~/Public
Related Question