Out of the box, standard users can view other user's home directory. Here's an easy way to prevent this for newly-created users.
If you administer a Linux server, chances are that server might be used by numerous users. In fact, you probably created those users yourself. Or maybe another admin created the users. Either way, there are probably a number of users working on the server, each of which has their own home directory. Thing is, when those home directories were initialized, chances are they were created with world-readable permissions. That means anyone on the server can read the contents of other user's files. Although they may not be able to edit those files, they can still read them. For some companies, that might be considered a security issue. If that's the case, what do you do? If the users were already created, you must go through and manually remove world-readable permissions with command like:
sudo chmod 0750 /home/USER
Where USER is the name of the actual user.
But you don't want to have to keep doing that moving forward, as that would be a waste of your precious time. Instead, why don't you set the system up, such that every time you create a new user, said user's home directory will be created sans world-readable permissions. Now that's the way to go.
I'm going to demonstrate how to do this on Ubuntu Server 18.04, but the process is the same for nearly all Linux distributions.
What you'll need
Simple. You'll need a working Linux distribution, an account with sudo privileges, and your favorite text editor (mine being nano).
When you create a new user, with the adduser command, the defaults for the user are drawn from the /etc/adduser.conf file. Because of this, we're going to make a change to the file, such that every new user home directory added will be done so without world-readable permissions. To do this, open that file with the command sudo nano /etc/adduser.conf (substitute nano with your favorite text editor).
With that file open, look for the line DIR_MODE. The default value for this line will be:
That is what is responsible for giving the new user's home directory the permission we don't want. Change that line to:
Save and close that file. Now issue the command:
sudo adduser USERNAME
Where USERNAME is the name of the new username to be added. Walk through the questions for adding the user (Figure A).
Once the user is created, issue the command ls -l /home to see that the new user was created without global r permissions (Figure B).
From this point on, every new user will be created with a more secure home directory. Without sudo permissions, users won't be able to view the contents of those home directories. Of course, by using sudo, users could view the contents of other home directories, so not giving standard users sudo privileges might be a policy you'll want to consider. The good news is that creating new users with the adduser command doesn't automatically add them to the sudo group. So this shouldn't be a problem.
Enjoy the added security
With this new configuration in place, your users can be assured that no other standard user will be able to view the contents of their home folders. For any Linux system that has multiple users logging in and working, this might be considered a must-do for administrators. Enjoy this added layer of security.
- How to enable Samba connections via hostname (TechRepublic)
- How to install and use the Titan text-based password manager on Linux (TechRepublic)
- How to use the curl command for uploading and downloading files without user interaction (TechRepublic)
- How to install Ubuntu Server 18.04 (TechRepublic)
- Another day, another Intel CPU security hole: Lazy State (ZDNet)