How to ensure that all new user home directories are created without world-readable permissions in Linux

By default, standard users can view the home directory of other users. Here is a simple way to avoid this for newly created users.

If you are administering a Linux server, it is likely that this server is used by many users. In fact, you probably created these users yourself. Or maybe another admin created the users. Either way, there are probably a number of users working on the server, each with their own home directory. The thing is, when these home directories were initialized, chances are they were created with world-readable permissions. This means that anyone on the server can read the contents of other users’ files. Although they cannot modify these files, they can still read them. For some companies, this may be considered a security issue. If so, what do you do? If the users have already been created, you must manually browse and remove the world-readable permissions with a command such as:

sudo chmod 0750 /home/USER

Where USER is the actual user name.

But you don’t want to have to keep doing this because it would be a waste of your precious time. Instead, why don’t you configure the system so that whenever you create a new user, that user’s home directory will be created without world-readable permissions. This is the way to go.

I’ll show how to do this on Ubuntu Server 18.04, but the process is the same for almost all Linux distributions.

What you will need

Simple. You will need a working Linux distribution, an account with sudo privileges, and your favorite text editor (mine being nano).

Adduser.conf

When you create a new user, with the adduser command, the user defaults are taken from the /etc/adduser.conf file. For this reason, we are going to make a change to the file so that each new user home directory added will be without world-readable permissions. To do this, open this file with the command sudo nano /etc/adduser.conf (replace nano with your favorite text editor).

With this file open, look for the DIR_MODE line. The default value for this line will be:

DIR_MODE=0755

This is what is responsible for giving the new user’s home directory the permission we don’t want. Replace this line with:

DIR_MODE=0750

Save and close this file. Now run the command:

sudo adduser USERNAME

Where USERNAME is the name of the new username to add. Review the questions about adding the user (Figure A).

Figure A

Once the user is created, run the command ls -l /home to see that the new user was created without global r permissions (Figure B).

Figure B

From then on, each new user will be created with a more secure home directory. Without sudo permissions, users will not be able to view the contents of these home directories. Of course, using sudo users can view the contents of other home directories, so not giving standard users sudo privileges may be a policy you might want to consider. The good news is that creating new users with the adduser command does not automatically add them to the sudo group. So that shouldn’t be a problem.

Enjoy the extra security

With this new configuration in place, your users can rest assured that no other standard users will be able to see the contents of their home folders. For any Linux system on which multiple users log in and work, this can be considered a requirement for administrators. Take advantage of that extra layer of security.

Comments are closed.