Linux Mint Forums

Hi everybody.
I am the administrator on my PC (Mint 18.3). I made an account for my son (standard account), but now I can access my folders and all my files through my son's account, even if I close my session. This is supposed not to happen. It didn't happened before with previous releases.

This is potentially dangerous.

do have a look at Menu - Administration - Users & Groups.

check what permissions / groups that the New Standard Account has,
when compared to your own Administrator Account.

you may need to UN-check a few Groups in the New Standard Account to achieve what you are needing.

on some of my PCs where I've got a few users on that machine, I've often found that I've had to modify
that Users & Groups settings, to either Gain / Lose some required areas for the new users on that machine.

Hi, my son only has the "ali" and "nopasswdlogin" and nothing else.

that's interesting in itself - - when I've added in an Extra User on some machine,
they generally do get quite a list of Groups that they seem to default to.

so, I've had to add / remove some of those Groups, in order to get that New Users Account to work properly.

Guys,
the issue is not caused by group membership, but by the default permissions which are granted to owner-group-others inside the /home directory. A simple ls -al /home might help reveal whether I am right.
(Yes, you can do the same check in your graphical file-manager as well, provided you have configured it to display in long list format and provided you have configured it to display owner-group and access permissions.)

Karl

Solve it with this terminal command: Repeat this in each user account that needs the same protection.

Note: this doesn't protect you from someone with root permissions! It won't stop a determined and experienced snooper, but it's an effective measure to "keep the honest people out". If that's not enough for you: encryption of files or even of your entire home folder, is much more secure....

Should you ever wish to undo this (but why?), that's easy as well. For undoing you can use this command:

The same issue has been discussed before. I just will have to look up the old threads ... (no time to do so at the moment) ...

By the way, as most users are not aware how access permissions are handled on Linux, not just on Linux Mint, here is a an article which explains the basic concept: How Do Linux File Permissions Work?
And another article which illustrates, what Pjotr had already explained briefly, how to prevent normal users from accessing each other's home directories easily: How to Prevent Other Users From Accessing Your Home Directory in Ubuntu 14.04

Pjotr wrote: ⤴Mon Jun 18, 2018 4:29 am Solve it with this terminal command:

Code: Select all

chmod -v 700 $HOME

Repeat this in each user account that needs the same protection.

Interesting. What exactly is it that this command does?

It gives read-write-execute permissions in home only to the account holder leaving out other users on the same system, if I have understood it correctly. For a brief explanation: https://www.lifewire.com/uses-of-command-chmod-2201064
For a little more thorough explanation: https://www.computerhope.com/unix/uchmod.htm

Moem wrote: ⤴Mon Jun 18, 2018 4:42 am

Pjotr wrote: ⤴Mon Jun 18, 2018 4:29 am Solve it with this terminal command:

Code: Select all

chmod -v 700 $HOME

Repeat this in each user account that needs the same protection.

Interesting. What exactly is it that this command does?

It changes the permissions for your /home folder. 700 protects against any access from other users, while the issuing user (you) still has full access.

Default is 755, which means that the contents of your /home folder are both readable and executable by others, but only changeable by the issuing user (you).

I don't know why 755 is default; 700 makes more sense to me. Oh well, it's easy to change....

That perplexed me when I found out that 755 is the default for a /Home/user account.

For an OS such as Linux that prides itself on security, that doesn't seem like a good idea.

Proper permissions is still a somewhat perilous assumption of security.
You can easily change the attributes when booted into a live desktop.
The only real solution is encryption.

Recently discussed here as well: viewtopic.php?f=90&t=270507#p1477086.

I.e., you may want a system-wide backup solution to have access to home directories; having to run it as root only for that would with fair chance be the bigger security breach. But also as per above, anyone feel free to chmod their home, and here's official Ubuntu documentation saying the same:

https://help.ubuntu.com/lts/serverguide ... e-security

I do not myself run or have identified software that needs global home directory access but have taken the fact that turning them private is not default as a sign that some will exist. Yes, that's dangerously close to Cargo Cult Administration but given that I don't have untrusted local users either, oh well: Debian-derivative is as Debian does...

Remember that permissions only enforce security for users operating within that linux instance. Someone could easily circumvent this by booting a live linux (like Puppy).

The only defense against this is encryption. For this reason if you have any concerns about data privacy & security, encrypt the home directories!