How to ensure all new user home directories are created without world-readable permissions in Linux

Автор: | 15.06.2018

If you administer a Linux server, chances are that server might be used by numerous users. In fact, you probably created those users yourself. Or maybe another admin created the users. Either way, there are probably a number of users working on the server, each of which has their own home directory. Thing is, when those home directories were initialized, chances are they were created with world-readable permissions. That means anyone on the server can read the contents of other user’s files. Although they may not be able to edit those files, they can still read them. For some companies, that might be considered a security issue. If that’s the case, what do you do? If the users were already created, you must go through and manually remove world-readable permissions with command like:

sudo chmod 0750 /home/USER

Where USER is the name of the actual user.

But you don’t want to have to keep doing that moving forward, as that would be a waste of your precious time. Instead, why don’t you set the system up, such that every time you create a new user, said user’s home directory will be created sans world-readable permissions. Now that’s the way to go.

I’m going to demonstrate how to do this on Ubuntu Server 18.04, but the process is the same for nearly all Linux distributions.

What you’ll need

Simple. You’ll need a working Linux distribution, an account with sudo privileges, and your favorite text editor (mine being nano).

Adduser.conf

When you create a new user, with the adduser command, the defaults for the user are drawn from the /etc/adduser.conf file. Because of this, we’re going to make a change to the file, such that every new user home directory added will be done so without world-readable permissions. To do this, open that file with the command sudo nano /etc/adduser.conf (substitute nano with your favorite text editor).

With that file open, look for the line DIR_MODE. The default value for this line will be:

DIR_MODE=0755

That is what is responsible for giving the new user’s home directory the permission we don’t want. Change that line to:

DIR_MODE=0750

Save and close that file. Now issue the command:

sudo adduser USERNAME

Where USERNAME is the name of the new username to be added. Walk through the questions for adding the user (Figure A).

Figure A

Figure A

Creating the user stierney.

Once the user is created, issue the command ls -l /home to see that the new user was created without global r permissions (Figure B).

Figure B

Figure B

Sam Tierney’s home directory can not be read by other users.

From this point on, every new user will be created with a more secure home directory. Without sudo permissions, users won’t be able to view the contents of those home directories. Of course, by using sudo, users could view the contents of other home directories, so not giving standard users sudo privileges might be a policy you’ll want to consider. The good news is that creating new users with the adduser command doesn’t automatically add them to the sudo group. So this shouldn’t be a problem.

Enjoy the added security

With this new configuration in place, your users can be assured that no other standard user will be able to view the contents of their home folders. For any Linux system that has multiple users logging in and working, this might be considered a must-do for administrators. Enjoy this added layer of security.

Also See

Source

Добавить комментарий