Here is a quick way to do it with firefox as an example:
- Create a group
webusers
- change the rights of the firefox binary to 750 (root:rwx, webusers:r-x) and the ownership to
root:webusers
- add all users who should be allowed to use firefox to the group
webusers
You can, of course, create groups for all individual programs. Here are the commands for doing it.
sudo addgroup webusers
sudo chmod 750 /usr/bin/firefox
sudo chown root:webusers /usr/bin/firefox
sudo adduser alice webusers
sudo adduser bob webusers
Short answer: Yes and no.
Can root see my encrypted /home folder?
Yes. As long as you are logged in, root as well as any sudo user can see your decrypted files. Also, when you wake up from sleep, your /home will still be decrypted.
Also there is a bug in ecryptfs that prevents unmounting the decrypted /home folder at logout. You should instead shutdown or restart the machine or manually unmount the folder from another sudo/root user. See this question for more information.
Can another user with root privilege change my password, then login my account using the new password see my encrypted /home?
No. Your /home folder is not encrypted with your password, but with a passphrase which is encrypted with your password. Another user changing your password will not affect the passphrase.
At the first login after an administrative password change, you have to mount your encrypted home manually and rewrap the passphrase. For these tasks you need your old and the new password
ecryptfs-mount-private
ecryptfs-rewrap-passphrase ~/.ecryptfs/wrapped-passphrase
When you change your password, the home directory passphrase is re-encrypted with your new password, so you should have continued access to your files with the new password. This is handled via PAM (Pluggable Authentication Modules) (via).
See this related question.
Best Answer
A
Publicfolder exists in your Home directory (/home/user) for sharing files with other users. If an other user wants to get access to thisPublicfolder, the execute bit for the world should be set on the Home directory.If you do not need to allow others to access your home folder (other humans or users like
www-datafor a webserver), you'll be fine withchmod o-rwx "$HOME"(remove read/write/execute from "other", equivalent tochmod 750 "$HOME"since the default permission is 750). Otherwise, you should change theumasksetting too to prevent newly created files from getting read permissions for the world by default.For a system-wide configuration, edit
/etc/profile; per-user settings can be configured in~/.profile. I prefer the same policy for all users, so I'd edit the/etc/profilefile and append the line:You need to re-login to apply these changes, unless you're in a shell. In that case, you can run
umask 027in the shell.Now to fix the existing permissions, you need to remove the read/write/execute permissions from other:
Now if you decide to share the
~/Publicfolder to everyone, run the next commands:chmod o+x ~- allow everyone to descend in the directory (x), but not get a directory listing (rshould not be added)find ~/Public -type f -exec chmod o+r {} \;- allow everyone to read the files in~/Publicfind ~/Public -type d -exec chmod o+rx {} \;- allow everyone to descend into directories and list their contentsIf you are use GNU coreutils (e.g. on Ubuntu, not on a embedded system having only
busybox), then the previous two commands usingfindandchmodcan be replaced by this single command that recursively makes folders and files readable (and additionally adds the execute (descend) bit for directories only):