Hi, I'm new to Zorin (and Linux in general). Looking to reinvigorate a couple of old home computers with a new OS and have have been trying out Ubuntu, Linux Mint, and Zorin OS Core 16.3 for a few days. The computers will be multiuser computers so have been particularly interested in multiuser account setup and behaviour. I don't know much about the terminal yet, so have only been using the GUI to setup new user accounts and browse the file system.
In Ubuntu and Linux Mint, when I login to the computer via a standard user account, I'm blocked from entering the home folder of other users (am asked to enter an admin password to gain access). Even when logged in via an admin account, I can't go straight into the home folder of other users; I first have to enter my admin account password.
In stark contrast, in Zorin OS I can browse the home folders and open files of other users without any restriction (there is no prompt to enter an administrator password). This happens even when logged in as a standard account, and I've experienced this behaviour on two separate installations. Is this normal behaviour for Zorin OS? If it is, can I do something to make Zorin behave like Ubuntu?
You can set the permissions for the Home Directory to 7(That User)0(UserGroup)0(Others) - 700
This can be done in One Quick terminal command.
Launch terminal from app menu or with the keyboard shortcut ctrl+alt+t
Copy this and paste it in using right click or keyboard shortcut ctrl+shift+v
sudo chmod 700 /home/*
While you are in terminal... Let's elevate to Root (And now you will know how to do this) and launch your GUI tools while in Root to give them Admin Access:
sudo -i
Launch the file manager (Zorin OS Core)
nautilus
Now your file manager is elevated to root. Navigate in the left pane to "Other locations" and in the Right Pane to "computer"
Now, double click on the etc directory.
Scroll down past the Folders to the file named adduser.conf. You can also just type adduser into the file manager window and it should move to and highlight that file.
Right click that file and select to open it with Text Editor.
In the Text Editor, tap ctrl+f (Find) and search for DIR_MODE
It should take you to line 56. Change value from 0755 to 0700
Save and close.
Close the elevated file manager.
In the still open terminal, type
exit
and then close it. The above steps ensure that when a new user account is created, it is set to your preferred permissions by default. And... it gave you a bit of practice and familiarity.
I would recommend running the sudo chmod 700 /home/* on any already existing user accounts - just log into each one and set their permissions.
I could only speculate as to why this default is set to 755. So, I will tag @AZorin and @zorink if they can provide clarity to this default.
Thanks again for these instructions. They were easy to follow and worked just as described! For any other novice reading this, I also found the end of the following article helpful for a bit of additional context: How To Change File or Directory Permissions in Linux | Tom's Hardware
Why do you recommend running this from within each existing account? Doesn't the asterisk apply it to everything already in /home, in which case I would have thought you only need to do from within one account?
Thanks. Yes, would be interesting to know. It certainly differs from the behaviour I expected.
I would prefer to run this command to ensure that files and folders are treated differently:
find /home/<target_username> -type d -exec chmod 700 {} \;
find /home/<target_username> -type f -exec chmod 600 {} \;
With the snippet proposed by Aravisian all your files would be granted executable permissions. There's nothing wrong with that, really, but I find it a bit annoying while browsing files through the terminal as files with this permission all have the same color, as opposed to be highlighted based on their file type.
There's a default value called umask that sets the default permission whenever a new file is created. Simply run umask in the terminal to find out what that value is. In ZorinOS that value is set to 0002 (the extra zero means is an octal number).
This value is then subtracted from the default permissions that are given to new files and directories, which are 666 and 777, respectively. Basically, without this mask applied there would be no security as all users would be able to read, write and execute all files created.
When you create a new directory the permissions assigned are:
File Type
Base Permissions
umask
Result
directory
777
0002
775
file
666
0002
664
Basically, owners have all the permissions that you would expect, while other users have the ability to navigate and read, but not write, those files and directories.
You can change this umask value yourself by running umask 0077 which would remove all permissions from new files and directories except for the owner. Be careful with this though, try it and test it first!
Something I'm not clear on is the difference between the 777 directories default you refer to here and the 755 dir_mode default that was found in the adduser.conf file that was mentioned earlier. Could you clarify?
That refers only the home folder of that user when it's created, it doesn't apply to new files and directories created after the fact. Setting the home folder to something like 700 alone should be enough to prevent other users from reading its contents.
Running it from each account is harmless, but it is not unusual I give a terminal command that really should and does work and the user returns a moment later and posts it didn't work. You're right. I was being overly-cautious.
I probably would, too. I use ZSH with powerlevel10k.
Thanks for going the extra distance.