Join Log in
Score:0
avatar Server

Prevent user from seeing list of other user's home dir

bm flag
Muhammad Dyas Yaskur

I want to prevent a user from seeing a list of home directory(of other users). By default, a user can not access other user's home dir but can find another user's home dir like below:

[opc@instance-20210712-0826 home]$ cd /home
[opc@instance-20210712-0826 home]$ ls -lh
total 8.0K
drwx------. 10 opc       opc       4.0K Nov 14 22:52 opc
drwx------.  2 otheruser otheruser   62 Nov 28 18:19 otheruser
drwx------.  3 yaskur    yaskur    4.0K Nov 28 01:45 yaskur

In another way, a user can see a list of other users (based on home dir). I want to prevent it. It's similar to WHM/cPanel do, if I logged in as a user I can not see other user home dir:

[myuser@sng128 ~]$ cd /home
[myuser@sng128 home]$ ls -l
total 4
drwx--x--x 25 myuser myuser 4096 Nov 28 08:27 myuser

I use Oracle Linux which is similar to CentOS or Rocky Linux.

92
0 + 0
ssh
Paul avatar
cn flag
Paul
One way is to use `ChrootDirectory` in `sshd_config`.
0
Reply
pl flag
Moshe Katz
cPanel uses ["VirtFS Jailed Shell"](https://docs.cpanel.net/knowledge-base/accounts/virtfs-jailed-shell/) to present a virtual "fake" filesystem to the user. It looks like their own custom implementation, but you could probably do something similar.
2
Reply
Score:4
John Mahowald avatar Server
cn flag
John Mahowald

Restrictive file permissions do not prevent a user from enumerating other users and their home directories. getent passwd from glibc will list users including their home directories. The underlying getpwent() function can also be called by a program.

To fully prevent any user from listing other user's home directories, isolate the user. As in, give them their own container. Although "container" could be implemented a variety of ways: hardware VM, software VM (User Mode Linux), OpenVZ, chroot, podman containers, or the Linux User and and PID isolation namespaces in general.

0 + 0
bm flag
Muhammad Dyas Yaskur
I need a solution without VM, just like WHM/cPanel did. maybe it's using chroot? any reference about it? I only found https://askubuntu.com/questions/134425/how-can-i-chroot-sftp-only-ssh-users-into-their-homes but it's must set chown as root to home dir which is different than WHM/cPanel did.
0
Reply
Paul avatar
cn flag
Paul
That is what I referred to with [`ChrootDirectory`](https://man.openbsd.org/sshd_config#ChrootDirectory) in `sshd_config`. If the only thing that works for you is WHM/cPanel, then use WHM/cPanel, else you are likely going to compromise somewhere, somehow. (And note the `root` ownership only applies to the `chroot` directory, not the subdirectories.)
0
Reply
Score:1
fevangelou avatar Server
cn flag
fevangelou

Stumbled this as I was looking a solution for something else...

My take is that you can just do:

chmod 711 /home
chmod 711 /home/*

and this should at least prevent other users from listing the /home directory. These are not recursive and will only protect /home and /home/userX or /home/userY from being listed (ls) directly.

Of course an unprivileged user can just cat /etc/passwd and view all users in the system, in which case, it's as good as listing the /home directory probably...

In such a case, I highly recommend Firejail which was built for this exactly and it's easy to setup.

On Ubuntu Server, you would install and configure it like this (e.g. in a firejail_install.sh script):

#!/bin/bash

apt-get -y update
apt-get -y install firejail

if [ ! -f "/etc/firejail/disable-common.local" ]; then
    cat > "/etc/firejail/disable-common.local" <<EOF

# Firejail blacklist
blacklist /etc/passwd
blacklist /etc/letsencrypt
blacklist /etc/mysql
blacklist /etc/nginx
blacklist /etc/php
blacklist /etc/postfix
blacklist /etc/varnish
blacklist /var/lib/mysql
blacklist /var/run/php

# END
EOF

fi

Just be careful what you blacklist :)

This, combined with the right permissions on /home should be enough to somewhat better protect your system from prying eyes.

+ 0
Score:0
avatar Server
us flag
Jasen

Remove global read permission on /home

sudo chmod o-r /home

This is an unusual setting and may break some things unexpectedly. (eg file browsers) but will not get in the way of ordinary tasks

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.