Why can other users see the files in my home folder?
A Public folder exists in your Home directory (/home/user) for sharing files with other users. If an other user wants to get access to this Public folder, the execute bit for the world should be set on the Home directory.
If you do not need to allow others to access your home folder (other humans or users like www-data for a webserver), you'll be fine with chmod o-rwx "$HOME" (remove read/write/execute from "other", equivalent to chmod 750 "$HOME" since the default permission is 750). Otherwise, you should change the umask setting too to prevent newly created files from getting read permissions for the world by default.
For a system-wide configuration, edit /etc/profile; per-user settings can be configured in ~/.profile. I prefer the same policy for all users, so I'd edit the /etc/profile file and append the line:
umask 027
You need to re-login to apply these changes, unless you're in a shell. In that case, you can run umask 027 in the shell.
Now to fix the existing permissions, you need to remove the read/write/execute permissions from other:
chmod -R o-rwx ~
Now if you decide to share the ~/Public folder to everyone, run the next commands:
-
chmod o+x ~- allow everyone to descend in the directory (x), but not get a directory listing (rshould not be added) -
find ~/Public -type f -exec chmod o+r {} \;- allow everyone to read the files in~/Public -
find ~/Public -type d -exec chmod o+rx {} \;- allow everyone to descend into directories and list their contents
If you are use GNU coreutils (e.g. on Ubuntu, not on a embedded system having only busybox), then the previous two commands using find and chmod can be replaced by this single command that recursively makes folders and files readable (and additionally adds the execute (descend) bit for directories only):
chmod -R o+rX ~/Public
According to an Ubuntuforms.org staff member, it is to make it easier to share files between new users.
You can change the permission to either 700 or 750 if you don't want the files readable and executable by others.
Command is:
chmod 750 $HOME
Note: Ubuntu default is 755
Ubuntu 21.04 and later releases have a secure default, see this blog article (archived link) linked by stackprotector in the comments section:
for new installations of Ubuntu 21.04, or for users created on a machine that has been upgraded to Ubuntu 21.04, home directories will be private by default.
However, the article implies that users created on Ubuntu < 21.04 will not be fixed automatically, even after applying security updates or upgrading to Ubuntu 21.04 or later. These users can be corrected by hand, with the following commands taken from the article.
To fix all existing users:
sudo chmod 750 /home/*
To fix the default for users that will be created in the future:
sudo sed -i s/DIR_MODE=0755/DIR_MODE=0750/ /etc/adduser.conf
echo "HOME_MODE 0750" | sudo tee -a /etc/login.defs
For Ubuntu < 21.04:
According to Mark Shuttleworth, Canonical's founder and CEO,
"The majority of users of Ubuntu systems either have exclusive use of the machine (personal laptop) or are sharing with friends and relatives. We assume that the people who share the machine are either trusted, or in a position to hack the machine (boot from USB!) trivially. As a result, there is little to no benefit"
... from removing those permissions.
You can read the User Management section of the Ubuntu Server Guide which covers the necessary details. The User Profile Security paragraph will probably answer your questions - officially.