In a multi-user environment using Ubuntu server 14.04 as a shared drive
All users connect via SFTP using Filezilla/WinSCP and are chroot to /home/company-folder/
Each user has also its own personal folder under /home/company-folder/users/
. Eg. /home/company-folder/users/username-1
, /home/company-folder/users/username-2
and so on…
Now username-1
can see other users personal folders (/home/company-folder/users/username-2
, /home/company-folder/users/username-3
, etc), he cannot access other user folders but he can see them listed.
Question is: what can I do so users cannot see each others personal directory under /home/company-folder/users/
?
Is there anyway in Ubuntu-Linux to hide non-readable folders?
Since in a system with 100+ users is not convenient for users to browse through the whole list of user folders to find his personal folder.
Best Answer
In general, no. Only the permission of the (from your point of view) parent directories determine, whether its content can be listed by a particular user. This includes directory entries, that this user cannot open/read. The mechanism for SSH/SFTP access is the same as with local tools, since the SSH/SFTP server spawns a subprocess for each session and changes the ownership of the subprocess to the respective user, as soon as they're authenticated successfully.
Consider the following example:
As you can see, I,
david
, can list the content of/home
even though I am not its owner, since everybody can read it (see the permission mask in front of the.
entry). I can list the content of/home/guest
for the same reason. I can also list the content of/home/david
, since I'm its owner and the owner has read permission. However, I cannot list the content of/home/root
, since I'm not the owner and nobody but the owner has read permissions on that directory:If one changed the ownership of
/home
to remove read permission for non-owners, I could not list the content of/home
any longer:Though, I can still traverse
/home
and read/home/david
, because the traverse permission (that's the semantic of the “execute” bit on directories) is still set on/home
(and/
):See Jakuje's answer for a possible alternative approach to your underlying aim.