# setting users' /home file privileges



## contraversy (Apr 29, 2012)

I set up a shell for me and my friends to host some IR bots. *I* want them to be restricted to their /home/ folder (/home/<username>) and not be able to *cd* out, or if that*'*s not possible at least not able to *ls* any directory but their own.

I made a login.conf group for them called 'standard' and the users are of the wheel group.

*W*hat chmod command will do this?


*T*hanks ahead of time!


----------



## sk8harddiefast (Apr 29, 2012)

chown -R user folder
If user have not the permissions to ls any directory but their own, chown command give this permission to folder.


----------



## contraversy (Apr 29, 2012)

When the user logs in, they are in /home/<username>/ so if *I* use `chown -R <user name> /home/<username>` that means once they log in they are ONLY able to see and modify items inside their folder?

*D*o *I* need to set up all wheel users to login as chroot? *D*oesn*'*t that mean they are confined to that folder? *S*orry, just wanting to cover all bases.

*I* did what you said with *chown -R*. *N*ow every time a user tries to connect it fails and says 
	
	



```
fatal: bad ownership for chroot /home/
```


----------



## anon12b (Apr 29, 2012)

May I ask, is it your intent that these users cannot affect your host system?  If so, do you mind if they would, possibly, be able to affect each other?

Given that you want to protect your host system, but are fine with the users, possibly, affecting each other, I would recommend you create a jail(8) for them to use. This is a much better mechanism for protecting your host system than simply using chroot(8). You can take a look at jail(8), or check out the jails chapter of the FreeBSD handbook.  You can enable security measures inside the jail, that may be an inconvenience too far outside. For example, you can mount large parts of the file system read-only, or raising the securelevel, and so on. 

For clarity, by, "possibly, affecting each other," I am referring to all of these users being in the same jail(8) shell server.  If this is roughly what you want, then feel free to ask further questions based upon it.


----------



## contraversy (Apr 30, 2012)

I have been searching consistently, and am reading the handbook about jails as *I'm* replying to this actually, here*'*s a little more into what *I* want to do*.*

I currently have a shell account that I use, *I* pay maybe $3.50 US a month for it, and when I log in *I* have my home directory, *I* can *cd ..* to the /home/ directory, but if *I* type *ls* to see the listing of different user folders, it says 
	
	



```
access denied
```
 or something like that. 

I emailed them and all they said was "*chmod r+o /home/*" and *I* did that and ended up having to reinstall the OS because it wouldn*'*t let anyone log in via ssh.


----------



## anon12b (Apr 30, 2012)

Well, what you want is actually much simpler than I interpreted.  If all you want is for users to be unable to view a certain directory, then you just need a couple of tips about how directory permissions work.

The first problem you are probably running into is that /home on FreeBSD is, in fact, a symbolic link, not a directory.  The actual directory is located at /usr/home.  If your shell account host runs anything other than FreeBSD, then there is a good chance that this is not the case for them.

The next is a tip on how file permissions work for directories.  Directories and files use the same permission set (Read, Write, Execute, Special).  Both contain these settings for three different subjects: the owner, a group, and everybody else.  However, directories are special.  In a directory:


Read access means you can see the contents of the directory
Write access means you can create or remove files from the directory
Execute access means you can traverse the directory

What you, therefore, essentially want is for the users to be unable to read, or write to the directory.  However, you want them to be able to traverse the tree, to get to the directory that they need.  In your case, I need execute access on /usr to get to /usr/home, and then /usr/home to get to /usr/home/<username>.  However, I do not need read, or write access to these directories.

Since your intention is that users cannot read each others home directories, you just need to make /usr/home executable, but not readable, or writeable.  However, /home is just a reference to that folder; you do not need to change permissions on /home.  In fact, you need to be able to read a symbolic link to be able to resolve where it is pointing to.


```
# ls -ld /home
lrwxr-xr-x 1 root wheel 8 Apr 30 11:05 /home -> usr/home
# ls -ld /usr/home
drwxr-xr-x 4 root wheel 512 Apr 30 11:05 /usr/home
# ls -l /usr/home
total 8
drwxr-xr-x 2 user_a user_a 512 Apr 30 11:05 user_a
drwxr-xr-x 2 user_b user_b 512 Apr 30 11:05 user_b
```

This is what the setup looks like by default.  As you can see, all the directories (/usr/home, /usr/home/user_a, and /usr/home/user_b) are readable, and executable, by all parties.  That is to say, the *other* field on all three is "r-x".

If we run,
`# chmod o-r /usr/home # remove the read bit from other on the node`

Then, we have this situation:

```
$ whoami
user_a
$ ls -l /usr/home
total 0
ls: /usr/home: Permission denied
$ ls -la /usr/home/user_b
total 40
drwxr-xr-x 2 user_b user_b 512 Apr 30 11:05 .
drwxr-xr-x 2 user_b user_b 512 Apr 30 11:05 ..
[ -- skipped some output for brevity -- ]
-rw-r--r-- 1 user_b user_b 980 Apr 30 11:05 .shrc
```

The problem is that a user can still read the other user's directory, if he knows where it is.  To stop this, all user directories must be set inaccessible by *other*.  For example,
`# chmod o-rx /usr/home/user_b`

Delivers:

```
$ whoami
user_a
$ ls -la /usr/home/user_b
total 0
ls: /usr/home/user_b: Permission denied
```

You would need to perform that for all directories.  The problem is that users can change permissions on directories they own.  Also, if you do not perform the step of making all the home directories inaccessible to *other*, then there are other means to enumerate the users than just /bin/ls in /usr/home.  As you can see in the following, it is easy for a user to make their directory accessible again:

```
$ whoami
user_b
$ chmod o+rx /usr/home/user_b
# ls -ld /usr/home/user_b
drwxr-xr-x 2 user_b user_b 512 Apr 30 11:05 /usr/home/user_b
```

One option is to do the following:

```
# chown root /usr/home/user_b
# chmod g+w,o-rx /usr/home/user_b # let group write, remove read/execute from other
# ls -ld /usr/home/user_b
drwxrwx--- 2 root user_b 512 Apr 30 11:05 /usr/home/user_b
# su - user_b
$ chmod o+rx /usr/home/user_b
chmod: /usr/home/user_b: Operation not permitted
$ ls
$ touch file
$ ls -l 
total 0
-rw-r--r-- 1 user_b user_b 0 Apr 30 11:07 file
```

That will stop users changing permissions on their home directory.  There are still areas of the system where they can share files, and they can still view most files on the system.  They just would not be able to view each others' home directories.

A quick summary:

Stop users listing the contents of /usr/home.  Do not remove the execute bit, as they will not be able to reach their home directories.  Note that this alone is not much use, as there are many other ways to list users on a system.  It literally just stops users that do not own the file, or are not in the group the file belongs to, from reading the contents on the directory.  In this case, the owner is *root*, and the group *wheel*
`# chmod o-r /usr/home`

Change the ownership of the home directories to *root*.
`# chown root /usr/home/<username>`

Make the home directory *group* writeable, but not accessible to *other*.
`# chmod g+w,o-rx /usr/home/<username>`

*IMPORTANT NOTE: This requires each user have their own primary group.  If they share a primary group, then they will all be able to edit each others' home directories.*

I know that was a bit long, so if you are unsure, ask before you enact any of the above advice.  Hope this helps.


----------

