Linux – Restricting directory access for a user in linux

linuxpermissions

How can I restrict user to read other users directory in linux ?

for instance I have user1 and user2, I dont want the user2 to read /home/user1/… How can I do this ?

Thanks

Best Answer

Like zed said but you probably have service running which mean that it if you do this, these services will not be able to read theses files either if the service doesn't run under the user permission, which is rarely the case, most service runs under their own users.

ACL (Access control list) are what you may need. Here is the official doc http://centos.org/docs/5/html/Deployment_Guide-en-US/ch-acls.html

Follow the documentation by editing the /etc/fstab and remounting the partition then simply

setfacl -m d:o:--- /home/user1/
setfacl -m d:u:rwx /home/user1/

o for others, u for users.
Now retreive the acl :

getfacl /home/user1/

I recommend you read the docs and do some tests. Hope this helped.

Related Solutions

Linux – Using xauth to Run Graphical Application as Another User

To use xauth selectively, as user1 run:

xauth list|grep `uname -n`

This prints the hexkey authorization entries for you . You could have different displays associated with those hosts as well.

As user2 set your display (assuming default case):

DISPLAY=:0; export DISPLAY

Then run:

xauth add $DISPLAY . hexkey

Note the dot after the $DISPLAY and before the hexkey.

When access is no longer needed, as user2 you can run:

xauth remove $DISPLAY

Linux – How to run a server on port 80 as a normal user on Linux

Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.

The long answer: you can redirect connections on port 80 to some other port you can open as normal user.

Run as root:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):

# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080

NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).

EDIT: as per comment question - to delete the above rule:

# iptables -t nat --line-numbers -n -L

This will output something like:

Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 redir ports 8088
2    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

The rule you are interested in is nr. 2, so to delete it:

# iptables -t nat -D PREROUTING 2

Best Answer

Related Solutions

Linux – Using xauth to Run Graphical Application as Another User

Linux – How to run a server on port 80 as a normal user on Linux

Related Topic