My home folder contains 2 users. 1 admin users and 1 guest.
I basically want a guest user not to be able to change the directory to a directory outside his own home folder when he logs in via SSH session.
The users look as following:
root@Ubuntu-2004-focal-64-minimal / # id olw
uid=1000(olw) gid=1002(olw) groups=1002(olw),1000(admins)
root@Ubuntu-2004-focal-64-minimal / # id guest
uid=1002(guest) gid=1001(guest) groups=1001(guest)
The home directory:
drwxr-xr-x 5 root root 4096 Jun 16 11:01 home/
From my understanding this means that others (not in root group) can read or enter(execute) this directory.
Inside this directory the file system looks as following:
drwxr-xr-x 5 root root 4096 Jun 16 11:01 ./
drwxr-xr-x 18 root root 4096 Jun 14 16:13 ../
drwxrwx--- 2 root guest 4096 Jun 16 11:11 guest/
drwxr-x--- 4 olw admins 4096 Jun 15 16:12 olw/
So now the guest is able to switch back to the home directory once he is inside his own home directory because /home is executable to others.
I chmod o-rx home/
and changed to group of the home folder to admins too. Otherwise nobody except root or people inside the root group could do anything with the root folder.
drwxr-x--- 5 root admins 4096 Jun 16 11:01 ./
drwxr-xr-x 18 root root 4096 Jun 14 16:13 ../
drwxrwx--- 2 root guest 4096 Jun 16 11:11 guest/
drwxr-x--- 4 olw admins 4096 Jun 15 16:12 olw/
The odd thing now:
When I switch to my admin everything is working. I can go into my home folder, go outside; do everything but with the GUEST account I get a
oot@Ubuntu-2004-focal-64-minimal /home # su guest
bash: /home/guest/.bashrc: Permission denied
I cannot even read the default .bashrc file or execute an ls
command.
I even switched the permission for the guest homefolder to full access from everyone ending up with:
drwxr-x--- 5 root admins 4096 Jun 16 11:01 ./
drwxr-xr-x 18 root root 4096 Jun 14 16:13 ../
drwxrwxrwx 2 root guest 4096 Jun 16 11:11 guest/
drwxr-x--- 4 olw admins 4096 Jun 15 16:12 olw/
I still get the error. What am I doing wrong? I want the guest not to be able to leave his own home directory but I want him to see his own home directory and be able to execute commands there. Why is it working with the olw user?
The file system inside the users looks as following
guest
drwxrwxrwx 2 root guest 4096 Jun 16 11:11 ./
drwxr-x--- 5 root admins 4096 Jun 16 11:01 ../
-rw------- 1 guest guest 42 Jun 16 11:22 .bash_history
-rwxrwxrwx 1 root guest 220 Jun 15 15:00 .bash_logout*
-rwxrwxrwx 1 root guest 3771 Jun 15 15:00 .bashrc*
-rwxrwxrwx 1 root guest 0 Jun 15 15:00 .cloud-locale-test.skip*
-rwxrwxrwx 1 root guest 807 Jun 15 15:00 .profile*
-rwxrwxrwx 1 root guest 20 Jun 15 15:14 WELCOME.txt*
olw
drwxr-x--- 4 olw admins 4096 Jun 15 16:12 ./
drwxr-x--- 5 root admins 4096 Jun 16 11:01 ../
-rwxr-x--- 1 olw olw 960 Jun 16 11:35 .bash_history*
-rwxr-x--- 1 olw olw 220 Jun 15 14:38 .bash_logout*
-rwxr-x--- 1 olw olw 3771 Jun 15 14:38 .bashrc*
drwx------ 2 olw olw 4096 Jun 15 15:54 .cache/
-rwxr-x--- 1 olw olw 0 Jun 15 14:38 .cloud-locale-test.skip*
drwxrwx--x 3 olw olw 4096 Jun 15 15:10 .local/
-rwxr-x--- 1 olw olw 807 Jun 15 14:38 .profile*
/home
if his$HOME
is below that. One needs access to the whole directory tree. Also, he needs access to other resources in e.g.bin
,lib
oretc
, otherwise nothing will work. What is your actual problem, why do you want to do that? – pLumo Jun 16 '21 at 13:22chmod a+x /home
to be able to access something in/home
as a user that is neither the user or group of/home
./home/guest
and the files in it should normally be owned by userguest
, notroot
and should probably have the same permission bits (not owner/group) as the files/directories ofolw
– Bodo Jun 16 '21 at 13:22cd /home
if the user can neither list nor access other uses' files or directories nor create any file or directory there, if the permissions for/home
aredrwxr-x--x
. If you don't agree with my opinion, then please explain this in your question. (If you really want to isolate the user you might need achroot
environment which needs considerable effort to set up correctly.) – Bodo Jun 16 '21 at 15:00Share
below the question to get a link.) Then we can probably suggest a solution how to set up the groups and permissions. – Bodo Jun 16 '21 at 18:22/home
. That's the container (parent) of each user's home directory. Your/home/guest
is a home directory. – Chris Davies Jun 16 '21 at 21:03