[K12OSN] home directory permissions

John Lucas mrjohnlucas at gmail.com
Thu Jul 10 16:43:19 UTC 2008

> Ernie Hudson wrote:
>> Does anyone have an easy way to change the permissions on the home 
>> directories so that only the owner has access to it. We have some very 
>> bright students and they have found out that they can copy work from 
>> someone else and have more free time. I am using the 5EL and have 
>> single sign on using likewise open from my windows server using active 
>> directory. I know I can change them one at a time using “chmod 700 
>> filename”. I am not adept at writing scripts and hoping someone can help.
> Do get the basics of shell-scripting down.  I'd recommend heading over 
> to http://www.tldp.org and reading the Advanced BASH Scripting Guide.  
> That's how I learned how to do it.  Extremely handy skill and very 
> necessary, just as important as writing .BAT or .REG files on Windows.
> Now to your specific question.  That's pretty easy to do.  All you 
> really have to do is change the top level directory permissions under 
> /home, i. e. no recursion needed.  I'd do it like this, in a basic FOR loop:
> #!/bin/bash
> cd /home
> for dir in *
> do
>   chmod 700 $dir
> done
> If you want to recurse down and change everything in everyone's homedir 
> to permissions 700, just add the "-R" switch after "chmod".
> --TP
> _______________________________

How are you creating your accounts? The command-line "useradd" utility gets 
it's defaults from /etc/login.defs. The UMASK value in mine (CentOS v5.2) is 
set to "077" which should result in a user directory setting of "drwx------" 
(700 in octal, see man 2 umask for details). This is the value you want. The 
fact that this doesn't seem to be the case on your system means either you are 
using some other method to create user accounts/home directories or someone has 
changed either the UMASK setting or directory permissions.

If you are using pam_mkhomedir.so (sometimes used in conjunction with LDAP) to 
create user homedirs on first login, the default umask is 0022 which would give 
permissions: dwrxr-xr-x (755 octal). If this is the case add the "umask=0077" 
to the pam_mkhomedir.so entry to give you the right permissions. See man 
pam_mkhomedir for details.

         "History doesn't repeat itself; at best it rhymes."
                         - Mark Twain

| John Lucas                MrJohnLucas at gmail.com               |
| St. Thomas, VI 00802      http://mrjohnlucas.googlepages.com/ |
| 18.3°N, 65°W              AST (UTC-4)                         |

More information about the K12OSN mailing list