restrict access for user to several directories

Question

I'm looking for a possibility to restrict access of a user to his homedirectory and some several other folders with data.

/home/user1, /data/media

to realize that is not a big deal, but how can I prohibit that user1 is not able to look into other folders or files? e.g by default all users have permission to browse nearly all directories and files.

e.g. is there a possibility prohibit that user1 is able to see its folder but is not able to browse through /etc, /opt and so on?

otherwise he would be able to look into config files what we really want to prohibit...

we tried with the chroot, but in this methot he would only be able to see his homefolder...

Many thanks

davidgo · Accepted Answer · 2016-03-24 08:42:41Z

1

I think using chroot is the best bet. Use mount --bind /source /home/user/dir to create a "tree" of directories the user can access from the chroot jail.

The alternative would be to deny the user permissions to other parts of the system using chmod and chown, but this risks other side-effects, and its quite likely you will miss something.

answered Mar 24, 2016 at 8:42

davidgo

71.4k14 gold badges111 silver badges169 bronze badges

Add a comment |

dr_ · Accepted Answer · 2016-03-24 09:06:38Z

0

You can use the Access Control List (ACL) system, which allows for more fine-grained permissions. The relevant commands are setfacl and getfacl.

Since you didn't specify your distro, here's some link about ACLs on Debian and on RHEL/CentOS.

answered Mar 24, 2016 at 9:06

dr_

4,54711 gold badges39 silver badges47 bronze badges

Add a comment |

BDRSuite · Accepted Answer · 2016-03-24 10:03:09Z

The default folder permissions are 755 (readable and executable/accessible by others).

You can change the default permissions for all folders by editing the file /etc/adduser.conf -

Find the line:DIR_MODE=0755

To block others, change it to:DIR_MODE=0750

To also block people in the same group (see ls -l /home) change it to:DIR_MODE=0700 Changes will take effect when you create a new user.

You can change the default file/folder permissions (i.e. when you create a new file) of a specific folder by using these commands:

chmod g+s /folder/mypath #set sticky bit

setfacl -d -m g::rwx /folder/mypath #set group to rwx default

setfacl -d -m o::000 /folder/mypath #set other permissions accordingly

To verify the change:

getfacl /folder/mypath

this is for specific folders

Stack Exchange Network

restrict access for user to several directories

3 Answers 3

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
linux
user
restrictions
.

Hot Network Questions

restrict access for user to several directories

3 Answers 3

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged linuxuserrestrictions.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
linux
user
restrictions
.