limiting users to their home directory

H.S. hs.samix at gmail.com
Tue Dec 23 22:32:21 UTC 2008 

Loïc Grenié wrote:
> 2008/12/23 H.S. <hs.samix at gmail.com>:
>> Okay. But I do not see its use if the OP desires this. And what about
>> conf files and default desktop files the various window managers use?
>> And the system font files?
>>
>> Also, if the OP sets the user's default permissions with rwX with no
>> permissions for groups and others, except in the case of ~/www
>> directories, wouldn't this achieve what he wants to do?
>>
>> What I do not understand yet is does the OP want to hide *all* of the
>> system from each user or just other users?
> 
>     This is what I understand: he wants to hide all the system to
>   all users. Other users directories is easy: chmod 700 /home/*
>   plus some usage of mount -o bind to let apache see the
>   www dirs.
> 
>     Nick Smith, the first poster, asked specifically
> 
> I [...] would like to lock each user down to be able to see/edit
> only files in his directory, and disable ssh access. [...]
> Seems like that would be a huge security risk to have a user
> able to browse to any directory he wishes and open/download
> the contents.
> 
>     Being able to read the files of other user does not look
>   like a "huge security risk". A privacy risk maybe, a small
>   security risk (if some user has left a readable private key
>   in a readable dir). Therefore I conclude that The first poster
>   wanted to deny to all users the access to all the system
>   except to their own files. As far as I can tell (and everybody
>   else here) it is nearly impossible and mostly useless.
> 
>     I repeat here what has been said before by various persons
>   (including my very own self), it is *not* a huge security risk
>   to let anybody see and download most of the operating
>   system. Obviously the private keys of the system must
>   not be accessible, nor the encrypted passwords (even though
>   I hope the encryption algorithm is better than what it was
>   20 years ago). The sensible files are unreadable by default
>   so that an Ubuntu system is mostly safe as is. Preventing
>   users to read the files does *not* significantly improve the
>   security (think: 0.1% more secure). Keeping the system
>   patched is a *much* better security improvement, checking
>   if the system is properly configured is *much* *better* (and
>   in that case not leaving the users read the files has 0 impact
>   on security).
> 
>       Loïc
> 

Yup, completely agree. There is absolutely no point in hiding the OS
from any user, even it is possible, unless the OP has customized his own
OS and wants to hide *that fact*. The other way to look at it is that
the users can download Ubuntu from anywhere if not from his machine.
This is just a "Doh!" situation.

I hope the OP answers my questions regarding what is he missing and due
to what reason if all he does is set his users' permissions as I and
others have mentioned earlier.



-- 

Please reply to this list only. I read this list on its corresponding
newsgroup on gmane.org. Replies sent to my email address are just
filtered to a folder in my mailbox and get periodically deleted without
ever having been read.

More information about the ubuntu-users mailing list