How to hide other user's home directories on Linux

I run several systems with hundreds of home directories (a custom web hosting setup, where third parties can have control of certain accounts).

Currently any user could SSH in (or via a script) do "ls /home" and see all the accounts on the server. They can't do anything with that information of course, "ls /home/user" would fail, however I'm wondering how "ls /home" could just show the current user's folder.

I've seen a few exploit attempts in the past (clients with insecure code/bad passwords - another topic) where the attacker makes a folder in one account, and then makes an array of symlinks looking at other home folders and trying to guess for sensitive file locations and hoping permissions are weak somewhere. By hiding "ls /home" this would frustrate them and I don't think they usually try too many other techniques.

Just an additional safety net, ideally without going down the path of chroot or jails. It's mostly just to break automated scripts if someone did gain access. The permissions are secure so users only have read/write access inside their own home folder.


Currently any user could SSH in (or via a script) do "ls /home" and see all the accounts on the server. They can't do anything with that information of course, "ls /home/user" would fail, however I'm wondering how "ls /home" could just show the current user's folder.

Remove the 'read' permission from /home with chmod go-r.

(Make sure to keep the 'execute' permission, however, as it is needed to let users themselves access their home directories. That is, /home must be rwx --x --x at minimum.)

This is not very useful if you still give full interactive SSH access. It would be much more useful to limit your users to only SFTP and Git somehow.

By hiding "ls /home" this would frustrate them and I don't think they usually try too many other techniques

They'll just read /etc/passwd to get the list of users.

I've seen a few exploit attempts in the past (clients with insecure code/bad passwords - another topic) where the attacker makes a folder in one account, and then makes an array of symlinks looking at other home folders and trying to guess for sensitive file locations and hoping permissions are weak somewhere. By hiding "ls /home" this would frustrate them and I don't think they usually try too many other techniques.

Fix the actual problem by not letting all your webapps run under the same "www-data" account – if each webapp has its own UID (and e.g. its own php-fpm pool under that UID), then you'll be able to enforce that the website directories are not publicly accessible, via symlinks or not.

(I don't actually know how to do this with regular webservers for static files.)