Home / ubuntu / Questions / 7994
Accepted
ixtmixilix
Asked: 2010-10-18 11:48:54 +0800 CST

How can I create a new user with the equivalent of a Windows guest-user's permissions?

  • 772

Basically, I want the new user to have only a few permissions -- can't read the normal users' home directories, can only read or write files to one directory (can only read or write /home/user/... can not read or write /home/me/ or read or write /home/someoneelse/. That's a common setup for schools and universities which run Windows networks. It seems like it should be simple in Ubuntu.

10.10 filesystem permissions adduser

3 Answers

  1. Best Answer

    I don't know anything about that other operating system's "guest user permissions" but for Ubuntu you can create users with any privileges you like. On the other hand, there exists a "guest session" which can be accessed from an already started session. Both are described here.

    Other than the permissions you give to the new users which you create, I advice you to set your home directories access permissions from your side (in a positive way, in some sense; by setting your rules for your your directory itself; don't rely on the guest users' "less-privileged" situation.) To do that, go to /home, right click the home directory you like to set, go to properties, go to permissions and set them as you like. This can be done via command line as well.

    • 2

  2. In ubuntu, most files can be read by anyone and files can only be written/changed by the owner.

    So the write permissions are ok by default. If you want to change the read permissions: do the following:

    Say you have a file \home\user\file.txt, which has normal permissions. If you execute

     cd /home/user
 ls -l file.txt

    you'll see something like

     -rw-r--r-- 1 user group  45655 2010-01-16 17:21 file.txt

    This means:

    • rw = read and write permissions for the user "user",
    • r = read permissions for the group "group"
    • r = read permissions for anybody else.

    The default group is the group which only has "user" as a member. So you only need to change the r permission for anybody else, do it as following:

     cd /home/user
 chmod o-r file.txt
    • chmod = change modifiers, change the permissions
    • o = all the others (not the user and not in the group)
    • -r = delete the read permission

    If you now execute

    ls -l file.txt

    you should see

    -rw-r----- 1 user group  45655 2010-01-16 17:21 file.txt

    So the last 'r' is deleted. You may use wildcards in your command like 

    chmod o-r f*

    will change all files that start with 'f'. If you want to use it on a complete directory, including all subdirectories, you need to add the '-R' (recursive) parameter:

    chmod o-r -R /home/user

    will delete the read rights from the complete /home/user directory for every user who's not the owner or in the group.

    I don't recommend changing system directories, but if you do, you'll need to add "sudo" before your command. There is no important information in system directories, so having them unwritable is enough.

    final answer:

    sudo chmod o-r -R /home/*
    • 1

  3. You can use umask such that file permissions are set to only allow the file owners access to their files automatically.

    You could also use extended attributes.

    And I guess it should be possible to protect a guest session with technologies like SELinux or AppArmor too.

    • 0