0

I want to prevent a user from seeing a list of home directory(of other users). By default, a user can not access other user's home dir but can find another user's home dir like below:

[opc@instance-20210712-0826 home]$ cd /home
[opc@instance-20210712-0826 home]$ ls -lh
total 8.0K
drwx------. 10 opc       opc       4.0K Nov 14 22:52 opc
drwx------.  2 otheruser otheruser   62 Nov 28 18:19 otheruser
drwx------.  3 yaskur    yaskur    4.0K Nov 28 01:45 yaskur

In another way, a user can see a list of other users (based on home dir). I want to prevent it. It's similar to WHM/cPanel do, if I logged in as a user I can not see other user home dir:

[myuser@sng128 ~]$ cd /home
[myuser@sng128 home]$ ls -l
total 4
drwx--x--x 25 myuser myuser 4096 Nov 28 08:27 myuser

I use Oracle Linux which is similar to CentOS or Rocky Linux.

Muhammad Dyas Yaskur
  • 517
  • 2
  • 22
  • One way is to use `ChrootDirectory` in `sshd_config`. – Paul Nov 28 '21 at 18:47
  • 2
    cPanel uses ["VirtFS Jailed Shell"](https://docs.cpanel.net/knowledge-base/accounts/virtfs-jailed-shell/) to present a virtual "fake" filesystem to the user. It looks like their own custom implementation, but you could probably do something similar. – Moshe Katz Nov 29 '21 at 03:46

3 Answers3

4

Restrictive file permissions do not prevent a user from enumerating other users and their home directories. getent passwd from glibc will list users including their home directories. The underlying getpwent() function can also be called by a program.

To fully prevent any user from listing other user's home directories, isolate the user. As in, give them their own container. Although "container" could be implemented a variety of ways: hardware VM, software VM (User Mode Linux), OpenVZ, chroot, podman containers, or the Linux User and and PID isolation namespaces in general.

John Mahowald
  • 32,050
  • 2
  • 19
  • 34
  • I need a solution without VM, just like WHM/cPanel did. maybe it's using chroot? any reference about it? I only found https://askubuntu.com/questions/134425/how-can-i-chroot-sftp-only-ssh-users-into-their-homes but it's must set chown as root to home dir which is different than WHM/cPanel did. – Muhammad Dyas Yaskur Nov 28 '21 at 19:37
  • That is what I referred to with [`ChrootDirectory`](https://man.openbsd.org/sshd_config#ChrootDirectory) in `sshd_config`. If the only thing that works for you is WHM/cPanel, then use WHM/cPanel, else you are likely going to compromise somewhere, somehow. (And note the `root` ownership only applies to the `chroot` directory, not the subdirectories.) – Paul Nov 29 '21 at 17:03
1

Stumbled this as I was looking a solution for something else...

My take is that you can just do:

chmod 711 /home
chmod 711 /home/*

and this should at least prevent other users from listing the /home directory. These are not recursive and will only protect /home and /home/userX or /home/userY from being listed (ls) directly.

Of course an unprivileged user can just cat /etc/passwd and view all users in the system, in which case, it's as good as listing the /home directory probably...

In such a case, I highly recommend Firejail which was built for this exactly and it's easy to setup.

On Ubuntu Server, you would install and configure it like this (e.g. in a firejail_install.sh script):

#!/bin/bash

apt-get -y update
apt-get -y install firejail

if [ ! -f "/etc/firejail/disable-common.local" ]; then
    cat > "/etc/firejail/disable-common.local" <<EOF

# Firejail blacklist
blacklist /etc/passwd
blacklist /etc/letsencrypt
blacklist /etc/mysql
blacklist /etc/nginx
blacklist /etc/php
blacklist /etc/postfix
blacklist /etc/varnish
blacklist /var/lib/mysql
blacklist /var/run/php

# END
EOF

fi

Just be careful what you blacklist :)

This, combined with the right permissions on /home should be enough to somewhat better protect your system from prying eyes.

fevangelou
  • 201
  • 2
  • 4
0

Remove global read permission on /home

sudo chmod o-r /home

This is an unusual setting and may break some things unexpectedly. (eg file browsers) but will not get in the way of ordinary tasks

Jasen
  • 826
  • 6
  • 12