How to hide other user's home directories on Linux

security linux permissions chmod chroot

I run several systems with hundreds of home directories (a custom web hosting setup, where third parties can have control of certain accounts).

Currently any user could SSH in (or via a script) do "ls /home" and see all the accounts on the server. They can't do anything with that information of course, "ls /home/user" would fail, however I'm wondering how "ls /home" could just show the current user's folder.

I've seen a few exploit attempts in the past (clients with insecure code/bad passwords - another topic) where the attacker makes a folder in one account, and then makes an array of symlinks looking at other home folders and trying to guess for sensitive file locations and hoping permissions are weak somewhere. By hiding "ls /home" this would frustrate them and I don't think they usually try too many other techniques.

Just an additional safety net, ideally without going down the path of chroot or jails. It's mostly just to break automated scripts if someone did gain access. The permissions are secure so users only have read/write access inside their own home folder.


Currently any user could SSH in (or via a script) do "ls /home" and see all the accounts on the server. They can't do anything with that information of course, "ls /home/user" would fail, however I'm wondering how "ls /home" could just show the current user's folder.

Remove the 'read' permission from /home with chmod go-r.

(Make sure to keep the 'execute' permission, however, as it is needed to let users themselves access their home directories. That is, /home must be rwx --x --x at minimum.)

This is not very useful if you still give full interactive SSH access. It would be much more useful to limit your users to only SFTP and Git somehow.

By hiding "ls /home" this would frustrate them and I don't think they usually try too many other techniques

They'll just read /etc/passwd to get the list of users.

I've seen a few exploit attempts in the past (clients with insecure code/bad passwords - another topic) where the attacker makes a folder in one account, and then makes an array of symlinks looking at other home folders and trying to guess for sensitive file locations and hoping permissions are weak somewhere. By hiding "ls /home" this would frustrate them and I don't think they usually try too many other techniques.

Fix the actual problem by not letting all your webapps run under the same "www-data" account – if each webapp has its own UID (and e.g. its own php-fpm pool under that UID), then you'll be able to enforce that the website directories are not publicly accessible, via symlinks or not.

(I don't actually know how to do this with regular webservers for static files.)

Related

Get path of the Desktop folder
Firefox 90: page actions button(s) missing: pin tab, copy link, etc
git fatal: pack has 1 unresolved delta (index-pack failed)
Where is bash's "shopt extglob" turned on for my interactive shell?
Failed to create SD card (& in AVD Folder)
How can I use math symbols in Ubuntu?
How to rename file names to avoid conflict in Windows or Mac?
Backup with rsync works but not in crontab
How to install google chrome manually in Ubuntu? [duplicate]
SSH into a machine and then launch an interactive command line program
How to run multiple commands in parallel and see output from both?
How to fix "en_DE.UTF-8" (locales) warnings? [duplicate]