Well, what you want is actually much simpler than I interpreted. If all you want is for users to be unable to view a certain directory, then you just need a couple of tips about how directory permissions work.
The first problem you are probably running into is that
/home on FreeBSD is, in fact, a symbolic link, not a directory. The actual directory is located at
/usr/home. If your shell account host runs anything other than FreeBSD, then there is a good chance that this is not the case for them.
The next is a tip on how file permissions work for directories. Directories and files use the same permission set (Read, Write, Execute, Special). Both contain these settings for three different subjects: the owner, a group, and everybody else. However, directories are special. In a directory:
- Read access means you can see the contents of the directory
- Write access means you can create or remove files from the directory
- Execute access means you can traverse the directory
What you, therefore, essentially want is for the users to be unable to read, or write to the directory. However, you want them to be able to traverse the tree, to get to the directory that they need. In your case, I need execute access on
/usr to get to
/usr/home, and then
/usr/home to get to
/usr/home/<username>. However, I do not need read, or write access to these directories.
Since your intention is that users cannot read each others home directories, you just need to make
/usr/home executable, but not readable, or writeable. However,
/home is just a reference to that folder; you do not need to change permissions on
/home. In fact, you need to be able to read a symbolic link to be able to resolve where it is pointing to.
Code:
# ls -ld /home
lrwxr-xr-x 1 root wheel 8 Apr 30 11:05 /home -> usr/home
# ls -ld /usr/home
drwxr-xr-x 4 root wheel 512 Apr 30 11:05 /usr/home
# ls -l /usr/home
total 8
drwxr-xr-x 2 user_a user_a 512 Apr 30 11:05 user_a
drwxr-xr-x 2 user_b user_b 512 Apr 30 11:05 user_b
This is what the setup looks like by default. As you can see, all the directories (
/usr/home,
/usr/home/user_a, and
/usr/home/user_b) are readable, and executable, by all parties. That is to say, the
other field on all three is "r-x".
If we run,
# chmod o-r /usr/home # remove the read bit from other on the node
Then, we have this situation:
Code:
$ whoami
user_a
$ ls -l /usr/home
total 0
ls: /usr/home: Permission denied
$ ls -la /usr/home/user_b
total 40
drwxr-xr-x 2 user_b user_b 512 Apr 30 11:05 .
drwxr-xr-x 2 user_b user_b 512 Apr 30 11:05 ..
[ -- skipped some output for brevity -- ]
-rw-r--r-- 1 user_b user_b 980 Apr 30 11:05 .shrc
The problem is that a user can still read the other user's directory, if he knows where it is. To stop this, all user directories must be set inaccessible by
other. For example,
# chmod o-rx /usr/home/user_b
Delivers:
Code:
$ whoami
user_a
$ ls -la /usr/home/user_b
total 0
ls: /usr/home/user_b: Permission denied
You would need to perform that for all directories. The problem is that users can change permissions on directories they own. Also, if you do not perform the step of making all the home directories inaccessible to
other, then there are other means to enumerate the users than just
/bin/ls in
/usr/home. As you can see in the following, it is easy for a user to make their directory accessible again:
Code:
$ whoami
user_b
$ chmod o+rx /usr/home/user_b
# ls -ld /usr/home/user_b
drwxr-xr-x 2 user_b user_b 512 Apr 30 11:05 /usr/home/user_b
One option is to do the following:
Code:
# chown root /usr/home/user_b
# chmod g+w,o-rx /usr/home/user_b # let group write, remove read/execute from other
# ls -ld /usr/home/user_b
drwxrwx--- 2 root user_b 512 Apr 30 11:05 /usr/home/user_b
# su - user_b
$ chmod o+rx /usr/home/user_b
chmod: /usr/home/user_b: Operation not permitted
$ ls
$ touch file
$ ls -l
total 0
-rw-r--r-- 1 user_b user_b 0 Apr 30 11:07 file
That will stop users changing permissions on their home directory. There are still areas of the system where they can share files, and they can still view most files on the system. They just would not be able to view each others' home directories.
A quick summary:
Stop users listing the contents of
/usr/home. Do not remove the execute bit, as they will not be able to reach their home directories. Note that this alone is not much use, as there are many other ways to list users on a system. It literally just stops users that do not own the file, or are not in the group the file belongs to, from reading the contents on the directory. In this case, the owner is
root, and the group
wheel
# chmod o-r /usr/home
Change the ownership of the home directories to
root.
# chown root /usr/home/<username>
Make the home directory
group writeable, but not accessible to
other.
# chmod g+w,o-rx /usr/home/<username>
IMPORTANT NOTE: This requires each user have their own primary group. If they share a primary group, then they will all be able to edit each others' home directories.
I know that was a bit long, so if you are unsure, ask before you enact any of the above advice. Hope this helps.