Linux Permissions – Recommended Permissions for User’s Home Directory and Files

homelinuxpermissionsSecurityusers

I'm working with a fresh install of Ubuntu 12.04 and I've just added a new user:

useradd -m testuser

I thought that the -m flag to create a home directory for users was pretty standard, but now that I've taken a closer look I'm a little confused:

By default the new directory that was just created shows up as:

drwxr-xr-x  4 testuser testuser 4.0K May 20 20:24 testuser

With the g+r and o+r permissions that means every other user on the system can not only cd to that user's home directory, but also see what is stored there.

When reading over some documentation for suPHP it recommends setting the permissions as 711 or drwx--x--x which is how it would make the most sense to me.

I noticed that I can change the permissions on the files inside /etc/skel and they are set correctly when creating new users with useradd -m but changing the permissions on the /etc/skel directory itself does not seem to have any effect on the new directories that are created for users in /home/

So – what type of permissions should a user's home directory and files have – and why?
If I wanted permissions to be different for useradd -m – like the 711 / drwx--x--x as I saw mentioned, how is one to do that? Must you create the user and then run chmod ?

Best Answer

To make the creation of the home directory behave differently do

useradd -m -K UMASK=0066 testuser

Giving other no access at all should be safe.

Related Solutions

Giving group permissions to other user’s files

It's hard to give precise commands without knowing the O/S or distribution; and yes! ACL would work, but there's a standard way, too.

There's adduser and useradd, one of them on your distribution may create the user's home directory automatically. If so, then the contents of the /etc/skel/ directory would be copied into the the user's home directory, permissions set, and perhaps some other appropriate actions might make place.

There may exist groups pre-defined for sharing, such as 'staff'; but, if we want to create our own group for sharing, there's nothing wrong with that. So, create a new group or use an existing group. Make sure that users who are to be members of the group have been defined as such with usermod, moduser, or vigr perhaps, according to the operating system. Each user currently logged in must logout and back in again to become a member of a new group.

Create a directory common for all users, such as /home/share_directory/ or any other directory that makes the most sense for your situation. A relevant best practice is not to use a directory within any user's home directory. If no one except the owner and group should be able to see files in the directory, then change the directory's permissions to 0770. If reading is ok by "others", then use 0775. The owner of the directory should almost certainly be root.

chown root:group_name /home/share_directory/

Next, change the setuid bit.

chmod +s /home/share_directory/

If no user should be able to modify another user's file, then also set the stick bit.

chmod +t /home/share_directory/

These examples set both the setuid and sticky bits at the same time using octal notation.

chmod 5775 /home/share_directory/

chmod 5770 /home/share_directory/

For the updated question, it seems as though ACL is the right tool. Most Linux distributions now include the acl option in the defaults option. If your distribution doesn't include the acl option by default, then this a little work is needed to start using it. First mount the file systems with the acl option in /etc/fstab.

sudo vim /etc/fstab
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx / ext4 defaults,acl 0 1

If needed, remount the filesystem: sudo mount -o remount,acl /. Then make a group to which a user may belong for this purpose. You may need to install the ACL tools as well: apt-get install acl.

sudo groupadd developers
sudo usermod -a -G developers $username

(Or the group might be "contractors".) A currently logged in user must log out and back in again to become a member of the new group. Of course, do not do this if you have content in the /var/www directory that you want to keep, but just to illustrate setting it up to start:

sudo rm -rf /var/www
sudo mkdir -p /var/www/public
sudo chown -R root:developers /var/www/public
sudo chmod 0775 /var/www/public
sudo chmod g+s /var/www/public
sudo setfacl -d -m u::rwx,g::rwx,o::r-x /var/www/public
sudo setfacl -m u::rwx,g::rwx,o::r-x /var/www/public
sudo setfacl -d -m u::rwx,g:contractors:rwx,o::r-x /var/www/public
sudo setfacl -m u::rwx,g:contractors:rwx,o::r-x /var/www/public

Above, the difference between the setfacl commands are these: the first instance uses the default group (group owner of the directory) while the second specifies a group explicitly. The -d switch establishes the default mask (-m) for all new filesystem objects within the directory. Yet, we also need to run the command again without the -d switch to apply the ACL to the directory itself. Then replace references to "/var/www" with "/var/www/public" in a config file and reload.

sudo vim /etc/apache2/sites-enabled/000-default
sudo /etc/init.d/apache2 reload

If we wanted to restrict delete and rename from all except the user who created the file: sudo chmod +t /var/www/public. This way, if we want to create directories for frameworks that exist outside the Apache document root or maybe create server-writable directories, it's still easy.

Apache-writable logs directory:

sudo mkdir /var/www/logs
sudo chgrp www-data /var/www/logs
sudo chmod 0770 /var/www/logs

Apache-readable library directory:

sudo mkdir /var/www/lib
sudo chgrp www-data /var/www/logs
sudo chmod 0750 /var/www/logs

A litle bit of "play" in a directory that does not matter should help get this just right for your situation.

On restrictions, I use two different approaches: the shell, rssh, was made to provide SCP/SFTP access but no SSH access; or, to restrict the use to a home directory you could use the internal-sftp subsystem, configured in /etc/ssh/sshd_config.

Subsystem sftp internal-sftp

Match group sftponly
  ChrootDirectory /home/%u
  X11Forwarding no
  AllowTcpForwarding no
  ForceCommand internal-sftp

Create a group named, for example, sftponly. Make users a member of the sftponly group. Change their home directories to / because of the chroot. The directory, /home/username, should be owned by root. You can also set the user's shell to /bin/false to prevent SSH access. Mostly I am concerned about interactive access, so generally go with the rssh path. (They can't write anywhere except where I have defined write ability.)

File Permissions – Can Users in a Group Access a File in Another User’s Home Directory?

Some points that seem to be necessary (though I freely admit that I am not expert in these matters), and that were not covered in RobertL's otherwise admirably thorough answer.

Make sure that the other users have actually logged into group admin:

A$ newgrp admin

Since the users are already in the group, I think you will not need to set a group password. If you do:

A$ sudo chgpasswd
admin:secret (typed into stdin)

Make sure that D's home directory is in group admin and is group-searchable.

D$ chgrp admin ~
D$ chmod g+x ~
D$ ls -lad ~
drwx--x--- 3 D admin 4096 Nov 24 19:25 /home/D

The directory needs to be searchable to allow users to enter it or its subdirectory project. It doesn't need to be group-readable, so D's own filenames are still private. To let the other users get to project easily, have them create symbolic links to it; otherwise, they'll have to type the whole path each time (autocomplete won't work because the shell can't read the pathname, it can only go to it).

Best Answer

Related Solutions

Giving group permissions to other user’s files

File Permissions – Can Users in a Group Access a File in Another User’s Home Directory?

Related Question