Re: Restricting a shell user to his home dir ?
From: Simon Kitching (simon_at_ecnetwork.co.nz)
To: firstname.lastname@example.org Date: Thu, 05 Aug 2004 18:40:47 +1200
On Thu, 2004-08-05 at 18:16, email@example.com wrote:
> I am learning a lot from this mailing list :). I have few shell users, i want to restrict their shell login to their home directories.
> Like they should not be able to move around in the system and see other user's home directories.
> Any suggestions would be usefull.
When you installed debian, you should have been asked "should home dirs
be readable by others". If you answered no, then when new users are
created, their home dir will automatically have permissions of
rwx------, which means that no other user on the system can see their
files. I believe this is even the default setting. [NB: perms of
rwxr-x--- are also secure, provided each user has their own personal
If you answered "yes, home dirs should be readable by others" then when
you added users, their home dir will be rwxr-xr-x, which allows others
to see their files. This is often the default for "traditional" unix
systems, like AIX. In this case, users (or you) can use chmod to make
the home dirs unreadable.
But generally, users *do* need access to the rest of the system. They
need access to /bin, /usr/bin, etc or they won't be able to run even
simple tasks like "cp", "more", etc. And unix is designed to allow users
to access system dirs without any harm occurring. Note that users will
be able to see that dirs /home/fred, /home/sue etc exist but won't be
able to see anything in them if the permissions on those dirs are set
If you're really paranoid (and this can sometimes be healthy) you can
look into something called "chroot", which means that when users log in,
they get a special restricted view of the local filesystem. But this is
a major pain to set up and administer. Only for the brave...
-- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org