Users can read other users files !? [Solved]

[SpongeBOB]

Hi everyone,

I just installed MXlinux 19.4

I realize the users can read other users files ( /home/JDoe )

Is this specific to MXlinux ? who can I change this behavior by default. So any other created account will not have access to other users files.

Thanks.

[dolphin_oracle]

you can change the ownership of the home folder so that only your user has access.

by default, users can see files but not edit them. this is not specific to MX.

[manyroads]

Nope... time for some basic Linux courses methinks. You really will do yourself a huge disservice if you do not understand some Linux basics. Here are a few:
https://www.lifewire.com/beginners-guid ... ux-4090233
https://www.udemy.com/course/linux-basi ... beginners/
https://itsfoss.com/free-linux-training-courses/
https://web.njit.edu/~alexg/courses/cs3 ... torial.pdf

EDIT (Just found this online for free) ===> https://www.iiitd.edu.in/~amarjeet/File ... %209th.pdf

Read all the current MX documentation as well==>https://mxmanuals.s3.us-east-2.amazonaw ... 9/mxum.pdf

[timkb4cq]

It's common to most desktop linux distributions. File permissions are controlled by your umask
https://geek-university.com/linux/set-t ... ted-files/

A users umask is usually set to 0022. If you set it to 0037

Code: Select all

umask 0037

users sharing your group can read but not write to or execute it and others (except for root) have no permissions. 0077 lets just you access your newly made files.
To enable a new default umask, add the appropriate line to your ~/.bashrc file.
You can use the chmod to reset the permissions of your existing files.

[SpongeBOB]

Thank you @manyroads & @timkb4cq !
I know my question was basic but please refer to my signature :)

[manyroads]

@SpongeBOB No problem at all. I sourced all the courses to help you find some sources of basic info. Learning is something I suggest/offer as an offer of assistance. We all benefit by acquiring new knowledge. And... we all have more to learn.

[Sterling]

MX Linux could actually implement a much better solution, though, than users having to learn to manually change file and directory permissions.

The solution could allow to have both, private home directories and sharing directories for the individual users and groups.

It would be based on making Debian's default user's private group configuration work
(https://wiki.debian.org/UserPrivateGroups), and then creating proper directories with a script like this one:
https://salsa.debian.org/freedombox-tea ... ippets/518

For example, there is then only publicly readable,

Code: Select all

/home/JDoe
/home/JDoe/public_html

while $HOME points to

Code: Select all

/home/JDoe/private

to contain all the user's files by default (inaccessible to other users).

And group wise collaboration can occur in places like

Code: Select all

/home/group/family
/home/group/family/private
/home/group/family/incoming

[figueroa]

Traditionally, Linux set the default system umask with a line in /etc/profile, i.e.

Code: Select all

umask 022

Debian seems to have turned this function over to system.d, although apparently this can be overridden by the display manager and/or desktop. Searching the internet on this, there seems to be a bit of consternation about how users' can better control this basic function. Each user's .profile contains the following:

Code: Select all

# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.

# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022

[tony37]

I notice that this is different in Manjaro (and maybe other Arch distros), the folders in /home have 'drwx------' permissions there. I can't really figure out which file regulates this, anyone knows?
edit: the answer is: /etc/login.defs, there you can change the UMASK value to 077 instead of 022 for more privacy
a quote from the file:

# UMASK is the default umask value for pam_umask and is used by
# useradd and newusers to set the mode of the new home directories.
# 022 is the "historical" value in Debian for UMASK
# 027, or even 077, could be considered better for privacy
# There is no One True Answer here : each sysadmin must make up his/her
# mind.

[Stuart_M]

I wanted to change my umask value to 077 but it took me hours of searching the Internet until I finally found the solution. And yes, there is a lot of conflicting information on the Internet about how to make a permanent and system-wide umask change (by "system-wide" I mean having all application follow the new umask value).

This is my experience.

I never had complete success with changing the umask value in ~/.bashrc - it only partially worked. By "partially worked" I mean that the change was permanent and it did create new files and directories using the new umask value like it should, BUT ONLY when using the Terminal to create them.

The problem was that it did not work was when files and directories were created outside the Terminal, for example in LibreOffice, FeatherPad, Thunar, browser, etc. because for some reason those applications used the default umask 022 value and not 077 that I wanted and that had been added to ~/.bashrc (Umask 022 gives 644 and 755 permissions for files/directories respectively while umask 077 will give 600/700 permissions for files/directories).

The solution for me was to edit "/etc/pam.d/common-session" and add the line in the below code window. (I use 077 because it will give "user" (me) read and write permissions for new files and read/write/execute for new directories, and nothing for "group" and "other" categories.) I added it to the end of the "common-session" file.

Code: Select all

session optional pam_umask.so umask=077

The above is the only thing that worked correctly. I had tried six different files from hours of Internet searching.

1. ~/.bashrc - "umask 077" worked permanently but only when creating files/directories in the Terminal. Outside applications used the default umask 022 value.

2. ~/.profile - "umask 077" never worked

3. /etc/bash.bashrc - "umask 077" never worked

4. /etc/profile - "umask 077" never worked

5. /etc/login.defs - "umask 077" never worked. I had changed line 151 umask value to 077 vice 022 and line 224 "USERGROUPS_ENAB yes" changed to "no". (There was conflicting information from different forums/websites on this working.)

6. /etc/pam.d/common-session - "umask 077" works fine - see solution paragraph above.

Edit: I logged out/in after editing a file. I had also tried combinations of the above, e.g. 1, 3, 5, and 4 together (all unsuccessfully). #6 is the only one that worked completely.