limiting users to their home directory

H.S. hs.samix at
Tue Dec 23 22:32:21 UTC 2008

Loïc Grenié wrote:
> 2008/12/23 H.S. <hs.samix at>:
>> Okay. But I do not see its use if the OP desires this. And what about
>> conf files and default desktop files the various window managers use?
>> And the system font files?
>> Also, if the OP sets the user's default permissions with rwX with no
>> permissions for groups and others, except in the case of ~/www
>> directories, wouldn't this achieve what he wants to do?
>> What I do not understand yet is does the OP want to hide *all* of the
>> system from each user or just other users?
>     This is what I understand: he wants to hide all the system to
>   all users. Other users directories is easy: chmod 700 /home/*
>   plus some usage of mount -o bind to let apache see the
>   www dirs.
>     Nick Smith, the first poster, asked specifically
> I [...] would like to lock each user down to be able to see/edit
> only files in his directory, and disable ssh access. [...]
> Seems like that would be a huge security risk to have a user
> able to browse to any directory he wishes and open/download
> the contents.
>     Being able to read the files of other user does not look
>   like a "huge security risk". A privacy risk maybe, a small
>   security risk (if some user has left a readable private key
>   in a readable dir). Therefore I conclude that The first poster
>   wanted to deny to all users the access to all the system
>   except to their own files. As far as I can tell (and everybody
>   else here) it is nearly impossible and mostly useless.
>     I repeat here what has been said before by various persons
>   (including my very own self), it is *not* a huge security risk
>   to let anybody see and download most of the operating
>   system. Obviously the private keys of the system must
>   not be accessible, nor the encrypted passwords (even though
>   I hope the encryption algorithm is better than what it was
>   20 years ago). The sensible files are unreadable by default
>   so that an Ubuntu system is mostly safe as is. Preventing
>   users to read the files does *not* significantly improve the
>   security (think: 0.1% more secure). Keeping the system
>   patched is a *much* better security improvement, checking
>   if the system is properly configured is *much* *better* (and
>   in that case not leaving the users read the files has 0 impact
>   on security).
>       Loïc

Yup, completely agree. There is absolutely no point in hiding the OS
from any user, even it is possible, unless the OP has customized his own
OS and wants to hide *that fact*. The other way to look at it is that
the users can download Ubuntu from anywhere if not from his machine.
This is just a "Doh!" situation.

I hope the OP answers my questions regarding what is he missing and due
to what reason if all he does is set his users' permissions as I and
others have mentioned earlier.


Please reply to this list only. I read this list on its corresponding
newsgroup on Replies sent to my email address are just
filtered to a folder in my mailbox and get periodically deleted without
ever having been read.

More information about the ubuntu-users mailing list