0

Is it possible to remove access of /tmp directory for a particular user, i.e user should not be able to even read /tmp directory ?

I know tmp directory has 1777 permission and let every user to create files , but restrict modification to user's own files. I am unable to find any way to do so.

Usecase:

One set of users should be able to do whatever they want but other set of user should not be able to check what other set of users are creating.

One solution is to create a directory and set permission to allow only set of users, but then all users need to edit there script/program to use this particular directory instead.

Is there any way like privatetmp via systemd, but for users instead of service ? I mean setup a tmp directory for the user without user knowing about it, is it possible ?

dgfjxcv
  • 697
  • It might help if you could explain why you want to do that -- what are you trying to accomplish? – Andy Dalton May 11 '20 at 05:07
  • Note that removing access to /tmp for a user would potentially make the system unusable by that user (it would therefore be better to simply lock their account). Please describe the issue you are trying to solve and we may come up with a better solution. Do this by editing your question rather than adding clarifications in comments. – Kusalananda May 11 '20 at 06:19
  • HI, I have added usecase in edit of the question – dgfjxcv May 11 '20 at 06:51
  • Why " without user knowing about it"? Why the secrecy? Why not just instruct (whatever) user that want to do private stuff that they should do so in directories that are inaccessible to others? Help hem set up a chroot if they require this, or a virtual machine or container. It is usually not the admin's job to preempt the users' needs. – Kusalananda May 11 '20 at 07:08
  • I suspect pam-tmpdir would meet your requirements (I’m not suggesting a duplicate because I have a hammer here). – Stephen Kitt May 11 '20 at 07:11

1 Answers1

0

Changing the 1777 access to tmp will break things. If you do not allow access to /tmp, you will get all sorts of surprising failures.

There are a number of solutions that may or may not fit your need.

  • pam-tmpdir, as mentioned by Stephen Kitt in his comment (didn't know that one)
  • set the environment variables TMPDIR, TEMP, TEMPDIR and TMP to ~/.tmp or something like that (if your programs/scripts use this POSIX variable)
  • change the scripts/programs/... to use a sub-directory per user
  • use a virtual environment, such as VirtualBox
  • set-up a chrooted environment.

It looks suspiciously like an XY problem; the only application that I can think of is a course-environment, where you should create a (virtual)environment per user/group anyway.

Ljm Dullaart
  • 4,643