How to prevent standard users from accessing other file directory in ubuntu -12-04 desktop? [duplicate]
If from a terminal CTRL+ALT+T you enter the following command
ls -la /
You should see something like this
warren@min:~$ ls -la /
total 84
drwxr-xr-x 22 root root 4096 Jun 20 16:13 .
drwxr-xr-x 22 root root 4096 Jun 20 16:13 ..
drwxr-xr-x 2 root root 4096 Jun 20 15:58 bin
drwxr-xr-x 3 root root 4096 Jun 20 16:15 boot
drwxr-xr-x 15 root root 4080 Jul 4 09:12 dev
drwxr-xr-x 120 root root 4096 Jul 4 09:38 etc
drwxr-xr-x 3 root root 4096 Mar 20 14:50 home
lrwxrwxrwx 1 root root 37 Jun 20 16:13 initrd.img -> /boot/initrd.img-3.2.0-48-generic-pae
lrwxrwxrwx 1 root root 37 Jun 3 13:51 initrd.img.old -> /boot/initrd.img-3.2.0-45-generic-pae
List cut short
This shows that all the directories are already restricted. Lets take an example.
drwxr-xr-x 2 root root 4096 Jun 20 15:58 bin
The first bit drwxr-xr-x
describes the permissions then we have the owner root
followed by the group root
followed the size then the time and date and finally the name.
The permissions drwxr-xr-x
can further be split into 4 sections
The first character d
in this case says this is a directory but you will also see l
for link and -
for a normal file.
The next 3 characters rwx
in this case are the permissions for the owner. In this case we have r
the owner can read the file or directory w
write and x
execute.
The next three are for members of the group in this case r-x
indicates that people that are in the group root
but are not the user root
can read and execute but not write.
The final three characters are for everyone else in this case r-x
gives everyone read and execute access but not write.
In the case of a directory d
type the execute privilege means that you can enter the directory. For a normal file -
type or link l
this indicates it can be run as a program.
For the directories you are asking about normal users are already restricted to read and execute.
If you want to change these permissions you can use the chmod
command as described here or do it graphically by running nautilus as root gksudo nautilus
But as pointed out by bodi.zazen It's not recommended for system directories and files.
You can not really restrict users from those directories as they need access to the libraries and binaries, /bin/bash for example.
IMO you have two ways to restrict users access.
The first is with standard permissions. In general, however, it is a very bad idea to start using chown
and chmod
on system files as you are likely to break Ubuntu and need to re-install. IMO chown and chmod should be uses only of files in your home directory or shared directories, but not system directories /bin or /lib
The reason is that all users will need to access the binaries and libs such as /bin/bash
If you need to restrict uses beyond the standard permissions, then use apparmor.
An easy way of using apparmor is to use the guest account. If you need restriction beyond that you would have to write your own profile, as a template, use this template:
http://ubuntuforums.org/showpost.php?p=9799756&postcount=5
You need to have a firm understanding of system files and what you need to allow and restrict.
Alternately you can use tools such as LXC or chroot jails, but, IMO, they are no easier to configure, require a bit more maintenance, and are less secure (it is hard to break out of Apparmor, easier to break out of a jail).