MattyMoose - 8:32 pm on Sep 20, 2005 (gmt 0)

Definitely!

By default, most UNIX systems will not allow a user to modify another users' home directories.

But, the easiest way is when you create the user, is to put them in their own group. So, for example, user jedi would belong only to the group jedi. This way, the permissions for your home directory would look like:

drwxr-x--- 79 jedi jedi /home/jedi

If it doesn't look like that, but more like:

drwxr-xr-x 79 jedi jedi /home/jedi

Then that means that "other" (ie: everyone else) can read that directory.

So, what you'd do is:

chmod 750 /home/jedi

That will set the permissions properly.

Then let's say you make a user for me, called moose. You put me only into the moose group, and repeat the above steps. Because I'm not the user 'jedi' and I'm not in the group 'jedi', I'm part of the 'other' group, when it comes to reading the contents of your /home/jedi. It will block me with an access denied.

This won't stop users from seeing what's in /tmp and any other directories that are misconfigured, or are intentionally left open.

If you wanted to have moose and jedi be friends, and be allowed to write to each others' directories, you could create a new group, called "moosejedi", and make them both a part of the "moosejedi" group, change the group ownership of /home/jedi and /home/moose to:

drwxrwx--- 79 jedi moosejedi /home/jedi
drwxrwx--- 79 jedi moosejedi /home/moose

That way anyone that's a member of 'moosejedi' can write to those directories.

Things get a little more complicated once you start wanting to assign multiple group permissions to a single file or folder. That's where Extended ACLs [en.wikipedia.org] come into play, but not all filesystems and Operating Systems use them or understand them.

Hope that helped!
Matt