Permissions 755 – Understanding Permissions on /home//

chmodfilespermissions

I am wondering why by default my directory /home/<user>/ has permissions set to 755. This allows other users to enter into directories and read files in my home. Is there any legitimate reason for this ?

Can I set the permissions to 700 for my home and all sub directories , for example: 

chmod -R o-xw /home/<user>/ 
chmod -R g-xw /home/<user>/

without breaking anything ?

Also, is it possible to set the permissions on my home, so that all new files created will have 600 and directories 700 ?

Best Answer

If your home directory is private, then no one else can access any of your files. In order to access a file, a process needs to have execute permission to all the directories on the path down the tree from the root directory. For example, to allow other users to read /home/martin/public/readme, the directories /, /home, /home/martin and /home/martin/public all need to have the permissions d??x??x??x (it can be drwxr-xr-x, or drwx--x--x or some other combination), and additionally the file readme must be publicly readable (-r??r??r??).

It is common to have home directories with mode drwxr-xr-x (755) or at least drwx--x--x (711). Mode 711 (only execute permission) on a directory allows others to access a file in that directory if they know its name, but not to list the content of the directory. Under that home directory, create public and private subdirectories as desired.

If you never, ever want other people to read any of your files, you can make your home directory drwx------ (700). If you do that, you don't need to protect your files individually. This won't break anything other than the ability of other people to read your file.

One common thing that may break, because it's an instance of other people reading your files, is if you have a directory such as ~/public_html or ~/www which contains your web page. Depending on the web server's configuration, this directory may need to be world-readable.

You can change the default permissions for the files you create by setting the umask value in your .profile. The umask is the complement of the maximal permissions of a file. Common values include 022 (writable only by the owner, readable and executable by everyone), 077 (access only by the owner), and 002 (like 022, but also group-writable). These are maximal permissions: applications can set more restrictive permissions, for example most files end up non-executable because the application that created them didn't set the execute permission bits when creating the file.

Related Question