How to prevent standard users from accessing other file directory in ubuntu -12-04 desktop? [duplicate]

If from a terminal CTRL+ALT+T you enter the following command

ls -la /

You should see something like this

warren@min:~$ ls -la /
total 84
drwxr-xr-x  22 root root  4096 Jun 20 16:13 .
drwxr-xr-x  22 root root  4096 Jun 20 16:13 ..
drwxr-xr-x   2 root root  4096 Jun 20 15:58 bin
drwxr-xr-x   3 root root  4096 Jun 20 16:15 boot
drwxr-xr-x  15 root root  4080 Jul  4 09:12 dev
drwxr-xr-x 120 root root  4096 Jul  4 09:38 etc
drwxr-xr-x   3 root root  4096 Mar 20 14:50 home
lrwxrwxrwx   1 root root    37 Jun 20 16:13 initrd.img -> /boot/initrd.img-3.2.0-48-generic-pae
lrwxrwxrwx   1 root root    37 Jun  3 13:51 initrd.img.old -> /boot/initrd.img-3.2.0-45-generic-pae

List cut short

This shows that all the directories are already restricted. Lets take an example.

drwxr-xr-x   2 root root  4096 Jun 20 15:58 bin

The first bit drwxr-xr-x describes the permissions then we have the owner root followed by the group root followed the size then the time and date and finally the name.

The permissions drwxr-xr-x can further be split into 4 sections

The first character d in this case says this is a directory but you will also see l for link and - for a normal file.

The next 3 characters rwx in this case are the permissions for the owner. In this case we have r the owner can read the file or directory w write and x execute.

The next three are for members of the group in this case r-x indicates that people that are in the group root but are not the user root can read and execute but not write.

The final three characters are for everyone else in this case r-x gives everyone read and execute access but not write.

In the case of a directory d type the execute privilege means that you can enter the directory. For a normal file - type or link l this indicates it can be run as a program.

For the directories you are asking about normal users are already restricted to read and execute.


If you want to change these permissions you can use the chmod command as described here or do it graphically by running nautilus as root gksudo nautilus

But as pointed out by bodi.zazen It's not recommended for system directories and files.


You can not really restrict users from those directories as they need access to the libraries and binaries, /bin/bash for example.

IMO you have two ways to restrict users access.

The first is with standard permissions. In general, however, it is a very bad idea to start using chown and chmod on system files as you are likely to break Ubuntu and need to re-install. IMO chown and chmod should be uses only of files in your home directory or shared directories, but not system directories /bin or /lib

The reason is that all users will need to access the binaries and libs such as /bin/bash

If you need to restrict uses beyond the standard permissions, then use apparmor.

An easy way of using apparmor is to use the guest account. If you need restriction beyond that you would have to write your own profile, as a template, use this template:

http://ubuntuforums.org/showpost.php?p=9799756&postcount=5

You need to have a firm understanding of system files and what you need to allow and restrict.

Alternately you can use tools such as LXC or chroot jails, but, IMO, they are no easier to configure, require a bit more maintenance, and are less secure (it is hard to break out of Apparmor, easier to break out of a jail).