Allow a user to read some other users' home directories

You can use ACLs to grant access to a particular directory to an arbitrary group.

For example, if you ran setfacl -m g:dba:rwx /home/foo, then members of the dba group would have rwx permissions on it, regardless of which group owns the directory.

You'll probably also want to set the "default" ACL (the ACL for newly-created objects inside the directory) to also include this permission.


If the users are cooperative, you can use access control lists (ACL). Set an ACL on the home directory of user1 (and friends) that grants read access to superuser. Set the default ACL as well, for newly created files, and also the ACL on existing files.

setfacl -R -m user:superuser:rx ~user1
setfacl -d -R -m user:superuser:rx ~user1

user1 can change the ACL on his files if he wishes.

If you want to always give superuser read access to user1's files, you can create another view of the users' home directories with different permissions, with bindfs.

mkdir -p ~superuser/spyglass/user1
chown superuser ~superuser/spyglass
chmod 700 ~superuser/spyglass
bindfs -p a+rX-w ~user1 ~superuser/spyglass/user1

Files accessed through ~superuser/spyglass/user1 are world-readable. Other than the permissions, ~superuser/spyglass/user1 is a view of user1's home directory. Since superuser is the only user who can access ~superuser/spyglass, only superuser can benefit from this.