Create restricted user on Linux, home directory on encrypted partition
Create a user that has the sole task to run some daemon that also needs to store files on disk.
Starting and stopping daemon, as well as accessing these files, needs to be possible via
Otherwise it should be locked down as far as possible.
Let's call the user
sandy from now on.
There already is an encrypted device that should serve as this user's home.
The following takes place on a Debian server and an Archlinux desktop.
- Create the user:
adduser sandyand immediately move all (hidden) files from its HOME:
sudo mv /home/sandy/.* ..(assuming
/homedoes not contain any files)
- Unlock & mount the device to
sudo cryptsetup luksOpen /dev/sdX sandy; sudo mount /dev/mapper/sandy /home/sandyand move those hidden files back:
sudo mv /home/.* /home/sandy/
- Fix permissions and ownership of all files; I recommend removing all permissions from both group and others:
sudo -iu sandy; sudo chown -R sandy:sandy .; chmod -R go= .
~/.bash_pofile) to set an equally restrictive umask: