0

My home folder contains 2 users. 1 admin users and 1 guest.

I basically want a guest user not to be able to change the directory to a directory outside his own home folder when he logs in via SSH session.

The users look as following:

root@Ubuntu-2004-focal-64-minimal / # id olw
uid=1000(olw) gid=1002(olw) groups=1002(olw),1000(admins)
root@Ubuntu-2004-focal-64-minimal / # id guest
uid=1002(guest) gid=1001(guest) groups=1001(guest)

The home directory:

drwxr-xr-x 5 root root 4096 Jun 16 11:01 home/

From my understanding this means that others (not in root group) can read or enter(execute) this directory.

Inside this directory the file system looks as following:

drwxr-xr-x  5 root root   4096 Jun 16 11:01 ./
drwxr-xr-x 18 root root   4096 Jun 14 16:13 ../
drwxrwx---  2 root guest  4096 Jun 16 11:11 guest/
drwxr-x---  4 olw  admins 4096 Jun 15 16:12 olw/

So now the guest is able to switch back to the home directory once he is inside his own home directory because /home is executable to others.

I chmod o-rx home/ and changed to group of the home folder to admins too. Otherwise nobody except root or people inside the root group could do anything with the root folder.

drwxr-x---  5 root admins   4096 Jun 16 11:01 ./
drwxr-xr-x 18 root root   4096 Jun 14 16:13 ../
drwxrwx---  2 root guest  4096 Jun 16 11:11 guest/
drwxr-x---  4 olw  admins 4096 Jun 15 16:12 olw/

The odd thing now:

When I switch to my admin everything is working. I can go into my home folder, go outside; do everything but with the GUEST account I get a

oot@Ubuntu-2004-focal-64-minimal /home # su guest
bash: /home/guest/.bashrc: Permission denied

I cannot even read the default .bashrc file or execute an ls command.

I even switched the permission for the guest homefolder to full access from everyone ending up with:

drwxr-x---  5 root admins 4096 Jun 16 11:01 ./
drwxr-xr-x 18 root root   4096 Jun 14 16:13 ../
drwxrwxrwx  2 root guest  4096 Jun 16 11:11 guest/
drwxr-x---  4 olw  admins 4096 Jun 15 16:12 olw/

I still get the error. What am I doing wrong? I want the guest not to be able to leave his own home directory but I want him to see his own home directory and be able to execute commands there. Why is it working with the olw user?

The file system inside the users looks as following

guest

drwxrwxrwx 2 root  guest  4096 Jun 16 11:11 ./
drwxr-x--- 5 root  admins 4096 Jun 16 11:01 ../
-rw------- 1 guest guest    42 Jun 16 11:22 .bash_history
-rwxrwxrwx 1 root  guest   220 Jun 15 15:00 .bash_logout*
-rwxrwxrwx 1 root  guest  3771 Jun 15 15:00 .bashrc*
-rwxrwxrwx 1 root  guest     0 Jun 15 15:00 .cloud-locale-test.skip*
-rwxrwxrwx 1 root  guest   807 Jun 15 15:00 .profile*
-rwxrwxrwx 1 root  guest    20 Jun 15 15:14 WELCOME.txt*

olw

drwxr-x--- 4 olw  admins 4096 Jun 15 16:12 ./
drwxr-x--- 5 root admins 4096 Jun 16 11:01 ../
-rwxr-x--- 1 olw  olw     960 Jun 16 11:35 .bash_history*
-rwxr-x--- 1 olw  olw     220 Jun 15 14:38 .bash_logout*
-rwxr-x--- 1 olw  olw    3771 Jun 15 14:38 .bashrc*
drwx------ 2 olw  olw    4096 Jun 15 15:54 .cache/
-rwxr-x--- 1 olw  olw       0 Jun 15 14:38 .cloud-locale-test.skip*
drwxrwx--x 3 olw  olw    4096 Jun 15 15:10 .local/
-rwxr-x--- 1 olw  olw     807 Jun 15 14:38 .profile*

MajesticOl
  • 105
  • 3
  • 1
    Welcome! Besides your actual problem, always be very careful when applying permissions recursively, you can end with a broken system. – schrodingerscatcuriosity Jun 16 '21 at 13:21
  • 1
    It is not possible to do it, you cannot deny a user access to /home if his $HOME is below that. One needs access to the whole directory tree. Also, he needs access to other resources in e.g. bin, lib or etc, otherwise nothing will work. What is your actual problem, why do you want to do that? – pLumo Jun 16 '21 at 13:22
  • 1
    You need chmod a+x /home to be able to access something in /home as a user that is neither the user or group of /home. /home/guest and the files in it should normally be owned by user guest, not root and should probably have the same permission bits (not owner/group) as the files/directories of olw – Bodo Jun 16 '21 at 13:22
  • 1
  • Please [edit] your question and add more details. What exactly do you mean with "... not to be able to leave his own home directory"? What should the user be able to do? What do you want to prevent? – Bodo Jun 16 '21 at 13:32
  • Ubuntu Home directories were created with 755 permissions but will be dropped to 750 with 21.04, now to prevent new home directories from being readable by other users on the system. https://discourse.ubuntu.com/t/private-home-directories-for-ubuntu-21-04-onwards/19533 – oldfred Jun 16 '21 at 14:16
  • Thanks for all the answeres. So basicly if my guest user is not part of the group that the homefolder is in and the "other" permission bits are set to 0. then he wount be able to execute anything inside his own subfolder, even if he owns it and has full rights on it ? But why can guest read the content of its own folder then when he shouldnt even have reading rights then ? @Bodo I just want to guest user to be isolated within his own home directory. he should be able to see its content if he has permission for the according files but he must not be able to change to parent folder -> home – MajesticOl Jun 16 '21 at 14:39
  • @MajesticOl Please [edit] your question to provide additional information instead of writing comments. I don't think that there is a security risk in doing e.g. cd /home if the user can neither list nor access other uses' files or directories nor create any file or directory there, if the permissions for /home are drwxr-x--x. If you don't agree with my opinion, then please explain this in your question. (If you really want to isolate the user you might need a chroot environment which needs considerable effort to set up correctly.) – Bodo Jun 16 '21 at 15:00
  • @Bodo I edited the question. Yeah i guess you are right. Im still not sure what is the general idea behind it that i cannot apply permissions to seperate folders. Wouldnt that be way easier ? What would i do if i have a third user that is not part of the admins group that i want to be able to read the home folders content ? A guest that just is permissioned to read the content of home. – MajesticOl Jun 16 '21 at 15:09
  • @MajesticOl Of course you can apply permissions to separate folders. You only have to read the details about how UNIX permissions work for files and directories. See the links in other comments. If the limitation of the UNIX permissions to one user, one group and others does not fit your requirements you might have to use ACLs. You wrote: "I basically want a guest user not to be able to change the directory to a directory outside his own home folder", but you did not explain what's the purpose of this requirement or what security risk you want mitigate. – Bodo Jun 16 '21 at 18:19
  • @MajesticOl Please don't add new requirements (as the third user) later, and don't use comments to extend your question. I suggest to write a new questions with a clear specification of the users, directories, files you have and what restrictions you want to enforce, maybe with a link to this question. (You can use the gray Share below the question to get a link.) Then we can probably suggest a solution how to set up the groups and permissions. – Bodo Jun 16 '21 at 18:22
  • Note that "the home directory" is not /home. That's the container (parent) of each user's home directory. Your /home/guest is a home directory. – Chris Davies Jun 16 '21 at 21:03
  • I should have put the word "home" inside quotes. Sry, it was kind of misleading. – MajesticOl Jun 17 '21 at 07:52

1 Answers1

1

All file access depends on the permissions of the file and the directory hierarchy it exists in.

While there are a couple of ways of achieving the result you desire, these are non-trivial and you may be breaking other parts of the security of your server. For example, you could set the homedir for guest to /other/guest - but in order to exclude them from /home you need to create a group encompassing all other users and set the group ownership of /home to that group and chmod o-rwx /home. But you're still not done. In addition to filesystem permissions, your Ubuntu box has a security subsystem called apparmor - this uses a more centralized database of objects (not just files) users and the permissions linking them - that will need updating too.

I'd like to think I know my way around Linux but this looks to me like a scarily complex task with little apparent benefit.

symcbean
  • 5,540