A Public folder exists in your Home directory (/home/user) for sharing files with other users. If an other user wants to get access to this Public folder, the execute bit for the world should be set on the Home directory.
If you do not need to allow others to access your home folder (other humans or users like www-data for a webserver), you'll be fine with chmod o-rwx "$HOME" (remove read/write/execute from "other", equivalent to chmod 750 "$HOME" since the default permission is 750). Otherwise, you should change the umask setting too to prevent newly created files from getting read permissions for the world by default.
For a system-wide configuration, edit /etc/profile; per-user settings can be configured in ~/.profile. I prefer the same policy for all users, so I'd edit the /etc/profile file and append the line:
umask 027
You need to re-login to apply these changes, unless you're in a shell. In that case, you can run umask 027 in the shell.
Now to fix the existing permissions, you need to remove the read/write/execute permissions from other:
chmod -R o-rwx ~
Now if you decide to share the ~/Public folder to everyone, run the next commands:
chmod o+x ~ - allow everyone to descend in the directory (x), but not get a directory listing (r should not be added)
find ~/Public -type f -exec chmod o+r {} \; - allow everyone to read the files in ~/Public
find ~/Public -type d -exec chmod o+rx {} \; - allow everyone to descend into directories and list their contents
If you are use GNU coreutils (e.g. on Ubuntu, not on a embedded system having only busybox), then the previous two commands using find and chmod can be replaced by this single command that recursively makes folders and files readable (and additionally adds the execute (descend) bit for directories only):
Ubuntu 21.04 and later releases have a secure default, see this blog article (archived link) linked by stackprotector in the comments section:
for new installations of Ubuntu 21.04, or for users created on a machine that has been upgraded to Ubuntu 21.04, home directories will be private by default.
However, the article implies that users created on Ubuntu < 21.04 will not be fixed automatically, even after applying security updates or upgrading to Ubuntu 21.04 or later. These users can be corrected by hand, with the following commands taken from the article.
To fix all existing users:
sudo chmod 750 /home/*
To fix the default for users that will be created in the future:
sudo sed -i s/DIR_MODE=0755/DIR_MODE=0750/ /etc/adduser.conf
echo "HOME_MODE 0750" | sudo tee -a /etc/login.defs
"The majority of users of Ubuntu systems either have exclusive use of the
machine (personal laptop) or are sharing with friends and relatives. We
assume that the people who share the machine are either trusted, or in a
position to hack the machine (boot from USB!) trivially. As a result,
there is little to no benefit"
I think Lekensteyn's answer can be improved by replacing the last two find commands with chmod using -X option (note the capital X). The two find commands can be replaced with
chmod -R o+rX ~/Public
This differentiates appropriately between files and directories, but does have the additional effect of allowing others to run executable files.
Since it is privacy that interests you (judging from the tags that were applied) it is very possible that setting permissions is insufficient (see ignis's answer). The answer may be something along the lines of an encrypted home directory. This solution is specifically designed against the attack by another user of a computer. It will, of course, be unable to stop another user from damaging your files (by simply removing ~/.Private directory, thus erasing all of your files), but they will be unable to mount the directory and see the files without your password.
The easiest way to achieve that is during the installation process, there is a check box, stating "Encrypt your home directory" and you need to select that.
Since it is unlikely that you will want to reinstall just for that (and because it still carries all the risks that are entailed with doing it without reinstall), you can do the following:
If you really need a high level of security: please re-install and make sure to choose the option to encrypt your entire disk. This will require a passphrase to even start the machine. You may of course also encrypt your home folder once more on top of this, with some performance degradation; though not noticeable for normal use.
Please note, that encrypting your home folder will disable applications like Dropbox. Dropbox is not secure storage that respects privacy anyway, so that may be a trite point. However, if you do need secure and private storage in the cloud, I would personally recommend MEGAsync since only you would have the keys to access the data.
A
Publicfolder exists in your Home directory (/home/user) for sharing files with other users. If an other user wants to get access to thisPublicfolder, the execute bit for the world should be set on the Home directory.If you do not need to allow others to access your home folder (other humans or users like
www-datafor a webserver), you'll be fine withchmod o-rwx "$HOME"(remove read/write/execute from "other", equivalent tochmod 750 "$HOME"since the default permission is 750). Otherwise, you should change theumasksetting too to prevent newly created files from getting read permissions for the world by default.For a system-wide configuration, edit
/etc/profile; per-user settings can be configured in~/.profile. I prefer the same policy for all users, so I'd edit the/etc/profilefile and append the line:You need to re-login to apply these changes, unless you're in a shell. In that case, you can run
umask 027in the shell.Now to fix the existing permissions, you need to remove the read/write/execute permissions from other:
Now if you decide to share the
~/Publicfolder to everyone, run the next commands:chmod o+x ~- allow everyone to descend in the directory (x), but not get a directory listing (rshould not be added)find ~/Public -type f -exec chmod o+r {} \;- allow everyone to read the files in~/Publicfind ~/Public -type d -exec chmod o+rx {} \;- allow everyone to descend into directories and list their contentsIf you are use GNU coreutils (e.g. on Ubuntu, not on a embedded system having only
busybox), then the previous two commands usingfindandchmodcan be replaced by this single command that recursively makes folders and files readable (and additionally adds the execute (descend) bit for directories only):According to an Ubuntuforms.org staff member, it is to make it easier to share files between new users.
You can change the permission to either 700 or 750 if you don't want the files readable and executable by others.
Command is:
Note: Ubuntu default is 755
Ubuntu 21.04 and later releases have a secure default, see this blog article (archived link) linked by
stackprotectorin the comments section:However, the article implies that users created on Ubuntu < 21.04 will not be fixed automatically, even after applying security updates or upgrading to Ubuntu 21.04 or later. These users can be corrected by hand, with the following commands taken from the article.
To fix all existing users:
To fix the default for users that will be created in the future:
For Ubuntu < 21.04:
According to Mark Shuttleworth, Canonical's founder and CEO,
... from removing those permissions.
You can read the User Management section of the Ubuntu Server Guide which covers the necessary details. The User Profile Security paragraph will probably answer your questions - officially.
I think Lekensteyn's answer can be improved by replacing the last two find commands with chmod using -X option (note the capital X). The two find commands can be replaced with
chmod -R o+rX ~/PublicThis differentiates appropriately between files and directories, but does have the additional effect of allowing others to run executable files.
Since it is privacy that interests you (judging from the tags that were applied) it is very possible that setting permissions is insufficient (see ignis's answer). The answer may be something along the lines of an encrypted home directory. This solution is specifically designed against the attack by another user of a computer. It will, of course, be unable to stop another user from damaging your files (by simply removing
~/.Privatedirectory, thus erasing all of your files), but they will be unable to mount the directory and see the files without your password.The easiest way to achieve that is during the installation process, there is a check box, stating "Encrypt your home directory" and you need to select that.
Since it is unlikely that you will want to reinstall just for that (and because it still carries all the risks that are entailed with doing it without reinstall), you can do the following:
If you really need a high level of security: please re-install and make sure to choose the option to encrypt your entire disk. This will require a passphrase to even start the machine. You may of course also encrypt your home folder once more on top of this, with some performance degradation; though not noticeable for normal use.
Please note, that encrypting your home folder will disable applications like Dropbox. Dropbox is not secure storage that respects privacy anyway, so that may be a trite point. However, if you do need secure and private storage in the cloud, I would personally recommend MEGAsync since only you would have the keys to access the data.