Userdirsecurity

This page is dedicated to locking down user home directories. This is necessary because, by default, Ubuntu likes to give the "other" group (everyone on the system) r-x (read/execute) permissions. This is not acceptable in an educational environment, as any student would be able to navigate to any other student's (or teacher's) home directory.

Here are the steps to lock down user home directories, so only the logged-in student (and any teacher/admin staff in the "admin" group) will have access to user directories:

First, change filesystem permissions on all existing user home directories so that only the owner and group have rwx permissions:

cd /home

sudo chmod 770 *

Now, change the group owner to the "admin" group (only teachers and/or system administrators/techs should be a member of the "admin" group, as it is used for system administration purposes):

sudo chgrp admin *

NOTE: How do you automatically make adduser give a certain (say, 'admin') group ownership of a newly created user's homedir? This is required if you don't want to do some sort of ugly cron chgrp hack to take care of homedir permissions…

Lastly, to prevent new users from creating homedirs with bad permissions, edit the /etc/adduser.conf file:

sudo vim /etc/adduser.conf

adduser.conf:

...

# If DIR_MODE is set, directories will be created with the specified
# mode. Otherwise the default mode 0755 will be used.
DIR_MODE=0770

...
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License