Ubuntu: default access mode (permissions) for users home dir (/home/user)
When creating a user using useradd --create-home username
, the skeleton directory (usually /etc/skel
) is copied, including its permissions.
The home directory (/home/username
) is subject to the UMASK
setting in /etc/login.defs
. This is set to 022
by default, so the permissions for /home/username
becomes 755.
Relevant excerpt from the Ubuntu manual page of useradd
:
The following configuration variables in /etc/login.defs change the behavior of this tool:
[..]
UMASK (number)The file mode creation mask is initialized to this value. If not specified, the mask will be initialized to 022.
useradd and newusers use this mask to set the mode of the home directory they create
Default permission of user home can be controlled in following places.
- The skeleton directory option (
-k, --skel SKEL_DIR
) ofuseradd
. SKEL
value in/etc/adduser.conf
that define default skeleton directory.DIR_MODE
value in/etc/adduser.conf
that define default permissions.
Home directory of new users are created using /etc/skel
as a template (default behavior).
Default permission of /etc/skel
is 0755 (drwxr-xr-x)
.
Using a custom skeleton directory with correct permissions will allow new home directories to have desired permissions.
Defaults for adduser
are defined in /etc/adduser.conf
.
Default value of DIR_MODE
in /etc/adduser.conf
is 0755
.
Changing DIR_MODE
to correct permissions (DIR_MODE=0750
or similar) will allow new home directories to have desired permissions.
According to Ubuntu documentation, this seems to be the best option.
Already existing user home directories will need to be manually changed.
sudo chmod 0750 /home/username
So its a good idea to change /etc/adduser.conf
right after the installation to avoid new users getting 0755 (drwxr-xr-x)
type permissions.
Still the very first user created during installation will have 0755
set to its home directory, which should be manually changed.
UMASK
in /etc/login.defs
is a general setting for files/directories/etc created by users (not only in their home directories). and could get changed depending on USERGROUPS_ENAB
in /etc/login.defs
.
The official explanation: User Management - User Profile Security
Check other sections of User Management as well.
Related: https://askubuntu.com/questions/46501/why-can-other-users-see-the-files-in-my-home-folder
Note : Don't change the UMASK value in /etc/login.defs if you want to change the home directory permissions only. Cause changing the UMASK will affect everything.
I once followed the same and when i installed any package system wide using pip it was not accessible to other users and was constantly throwing permission denied. Since the default UMASK affected the permission of all the package directories that got created after the changes were applied.
The correct way is to modify DIR_MODE in /etc/adduser.conf. Since the /etc/adduser.conf is used in most linux distros so this solution works for most.