I am currently running Fedora on a network computer, acting as a host to other users who will SSH into my terminal to do their work.
However I realised that they are also able to access my /home folder. How do I go about setting the permissions such that they are not able to access it?
By making it not world readable. By default it looks like so:
igalic@tynix /home % ls -lh
total 28K
drwxr-xr-x. 62 igalic igalic 4.0K Jun 20 10:24 igalic/
drwx------. 2 root root 16K Jun 1 15:54 lost+found/
igalic@tynix /home %
I can deny anyone but myself (and root) access with chmod o-rx:
igalic@tynix /home % ls -lh
total 20K
drwxr-x---. 62 igalic igalic 4.0K Jun 20 10:28 igalic/
drwx------. 2 root root 16K Jun 1 15:54 lost+found/
igalic@tynix /home %
These are the basic Unix permissions. You can do more fine-grained access-permissions with extended POSIX ACLs:
igalic@tynix /home % getfacl igalic
# file: igalic
# owner: igalic
# group: igalic
user::rwx
group::r-x
other::---
Or SELinux:
drwxr-x---. igalic igalic unconfined_u:object_r:user_home_dir_t:s0 igalic/
drwx------. root root system_u:object_r:lost_found_t:s0 lost+found/
Words like permissions or access are too vague for a Unix system. In order to solve your problem, you would need to learn how permissions are managed, and then define more precisely what you mean by "not able to access it".
There are 3 kinds of permissions:
r: readw: writex: executeNote that the permission have special meaning for directories:
r: list the files in the directory, for instance with ls.w: add new elements to the directory.x: access files in the directory.There are 3 levels of permission you can set:
Note that when you create new users on the system, you're asked to assign them a group. The reason is simply for a better management of permissions.
There are various ways. I think the most straightforward would be using ls -l. Example:
$ ls -l file
-rw-r----- 1 rahmu users 406 Jun 18 13:28 file
The first column indicates the permissions.
-rw-r-----, the first bit (-) indicates whether the file is a directory, a link or a regular file. Ignore it for now. Then the next 3 bits (rw-) indicate the user-level permissions. That means user rahmu has the right to read and write this file. The next three bits (r--) are the group-level permissions, this means that all the users who are in the group users will have read access. All the other users will have no permission at all (--). That means they cannot read the file, write it, nor execute it.
It is usually done with the chmod utility. It supports many syntax, which one is best is debatable, but the following will make most sense after the above explanation:
$ chmod [who]operator[permissions] file
who is user, group or others. (there's also all, for modifying all three levels at once).operator is + or -.permission is r, w or x.Examples:
chmod u-w file: remove write permission for user.chmod a+x file: add execute permission for all.As I mentioned, you need to define what you mean by access. If what you mean is read access, as in you don't want them to even list what's inside your directory, then the easiest would be to take the appropriate permissions off the /home directory. (Assuming they're connecting with a separate user).
$ chmod o-rwx ~
Each file (and directory) belongs to a user and a group, always. To manage access control there are three sets of rights: one for the user the file belongs to, one for the group the file belongs to and one for everyone else (other).
Check our home-directory for its permissions, ls -l /home. Most likely your home-directory belongs to your username, which means whether or not others can access it depends on the group-rights and other-rights. Everybody who has read rights on your home-dir can retrieve a list of its contents, everybody with executable rights can access files in that directory.
To be as restrictive as possible set your home-directory permissions to 700 with chmod 700 /path/to/your/home This make your home-dir inaccessible for every user that is not you.
SSH has nothing to do with this!
If you are willing to install 3rd party apps, you should take a look at the limited shell (lshell). It can be configured to limit users' access to commands and/or paths in your file system.
It can also detect if a connection is done remotely (over SSH, FTP, ...) and act differently accordingly.
I cannot give you an exact configuration to your use case, but I suggest you take a look at the description of all the available options, as well as the sample config file hosted on the project's website.