Suppose you share your laptop with various classmates or coworkers. You have administrative rights on the machine, but you have a small fear that their prying eyes could get into a directory you don’t want them to see. It may be in your interest to password-protect that folder.
When using Linux you can restrict users from file access with a few simple commands. This article will discuss the benefits and limitations of using file ownership and groups as a password-protection measure.
Creating a New User
Unix-based machines utilize a directory structure that makes use of ownership to allow and prevent access to files. Your user, for example, is likely granted a home directory, “/home/username”, and has specific rights on your machine. It may own files and folders in that home directory, so it can access them freely. In contrast, it can’t freely access files the root user owns.
Examination of a root-owned directory may reveal its permissions, owner, and group as something like drw------- root root, meaning the root user can read and write in that directory but all other users cannot. When you try to use files in that directory, you will need to either change to the root user or give yourself superuser privileges – both of which should require a password.
You can use that same logic to password protect a directory you care about. Try it now by creating a new user named “protector:”
sudo useradd --no-create-home protector
This command will make a new user without a home directory (since you won’t need it for the purpose of password protection). Then make sure to give your new user a strong password:
sudo passwd protector
Also read: How to Use Password Store to Manage Your Passwords in Linux
Change Directory Ownership
Once you have created a new password-protected user, you can modify your secret directory.
Use the chown tool to change a directory’s owner. In this case I’ll change the owner of my sample “testdir” directory from root to protector with the command:
sudo chown -R protector:protector testdir/
Syntax for Chown follows the pattern chown [owner][:[group]] file.... The screenshot above shows the test directory change from “root:root” owner and group ownership to “protector:protector.”
I used the -R option here to recursively enter testdir and change testfile. If you omit -R, chown will only modify the directories and files you specify.
Read, Write, and Execute Permissions
Changing the group, like I did here, is not strictly necessary. You can just use chown [owner] file if you wish.
Why? Well, in this step you will use Chmod to change the file permissions for users outside the owner’s group.
Also read: Understanding File Permissions: What Does “Chmod 777” Mean?
Chmod follows the syntax chmod [mode] file. Change your file’s permissions with the command:
chmod -R og-rwx testdir/
The og-rwx part of that command first specifies users who are not the owner but are part of the file’s group, g, or are not part of the file’s group, o. It then removes their read, write, and execute permissions with the minus sign, -rwx. See the previous screenshot to watch the permissions for the directory and file change.
At this point, only the owner of the file, which was specified before with Chown, can read or write the file in my testdir directory. All other users will be denied access or asked to provide a password.
Limitations
You will run into some problems with this approach. The Chown and Chmod steps only help protect your files if you take additional security measures.
First, since you will need to use root permissions (with the root user or with sudo) to access your secret folder, you cannot be logged on with root or any other user with admin rights when others will use your computer.
Second, your own user and root should have passwords protecting them.
Third, your own user, if it can use sudo for administrative privileges, must require that you type a password to use those privileges. You should also be aware that there is often a default session period where, if you use the sudo command and type a password, you won’t have to type it again until the session elapses.
Fourth, all users with administrative access must log out when leaving the computer alone.
Conclusion
What you get with this approach is a method of protection that doesn’t require encryption. It works reasonably well, assuming you can keep an eye on your computer when it’s in use, but it also suffers from flaws like visibility and a lack of encryption.
In short, any root user that happened to gain access to your system through a root login or even a live CD would have the chance to find and read your files.
Feel free to use Chown and Chmod for quick protection. Just don’t rely on them for hardened security. You should turn to full encrypted disks or userspace encryption schemes for a better, more permanent fix.
Our latest tutorials delivered straight to your inbox
