Ubuntu Fundamentals: home directory

The Home Directory: A Production Deep Dive on Ubuntu

Introduction

A recent production incident involving a compromised user account stemmed from improper home directory permissions and a lack of robust auditing. The root cause wasn’t a vulnerability in a service, but a fundamental misunderstanding of how home directories interact with the system, particularly in a cloud-based environment utilizing ephemeral VMs. This incident highlighted a critical gap: even experienced engineers often treat the home directory as a simple user storage space, overlooking its central role in authentication, authorization, and system security. This post aims to provide a comprehensive, production-focused exploration of the home directory in Ubuntu and Debian-based systems, moving beyond basic usage to address the intricacies vital for maintaining a secure and performant infrastructure. We’ll focus on LTS production usage, assuming a mix of physical servers, cloud VMs (AWS, Azure, GCP), and containerized environments.

What is "home directory" in Ubuntu/Linux context?

The home directory, typically /home/<username>, is the default landing point for a user upon login. It’s more than just a storage location; it’s a critical component of the user’s environment. It’s defined in /etc/passwd, specifically the seventh field, which specifies the user’s shell and home directory path.

Ubuntu, inheriting from Debian, adheres to the Filesystem Hierarchy Standard (FHS). Key files and directories within a home directory include:

• .bashrc: Bash shell initialization script.
• .profile: Executed for login shells.
• .ssh: Contains SSH keys and configuration.
• .config: Stores application-specific configuration files.
• .local: Used for user-specific applications and data.

Distro-specific differences are minimal, but Ubuntu’s default desktop environment (GNOME) adds additional configuration files within .config. System tools heavily involved include useradd, usermod, passwd, chown, chmod, su, sudo, and PAM (Pluggable Authentication Modules). The login service, managed by systemd, is responsible for handling user authentication and setting up the environment, including mounting the home directory if it’s on a separate partition.

Use Cases and Scenarios

1. Cloud Image Customization: When building custom cloud images (e.g., using Packer), pre-configuring user accounts and their home directories is essential for automation and security. This includes setting appropriate permissions, installing necessary tools, and configuring SSH keys.
2. Containerized Environments: While containers are often stateless, persistent data, including user configurations, may need to be stored in volumes mounted to the container’s home directory. Proper volume management and permission control are crucial.
3. Secure Remote Access (SSH): The .ssh directory and its contents are paramount for secure remote access. Incorrect permissions (e.g., world-writable) can create significant security vulnerabilities.
4. Centralized Home Directory Management (NFS/AFS): In large environments, centralizing home directories using NFS or AFS simplifies management and provides a consistent user experience across multiple servers. This introduces complexities around network latency and authentication.
5. Ephemeral VMs & User Data Preservation: In cloud environments with ephemeral VMs, preserving user data requires integrating with object storage (e.g., AWS S3, Azure Blob Storage) and automating the restoration of home directories upon VM creation.

Command-Line Deep Dive

• Creating a user: sudo useradd -m -d /home/newuser -s /bin/bash newuser (creates a user with a home directory and bash shell).
• Modifying home directory: sudo usermod -d /new/home/path -m username (moves the home directory and updates /etc/passwd). The -m flag moves the contents; omitting it only updates the path in /etc/passwd.
• Checking permissions: ls -ld /home/username (shows permissions and ownership). A typical secure configuration is drwx------.
• Auditing SSH access: grep 'Accepted password' /var/log/auth.log or journalctl -u sshd (examine SSH authentication logs).
• Finding large files: du -hsx /home/* | sort -rh | head -10 (finds the 10 largest directories/files in /home).

• SSH config snippet (/etc/ssh/sshd_config):
  

  Match User specificuser
      ChrootDirectory /home/specificuser
      ForceCommand internal-sftp
      AllowTcpForwarding no
      X11Forwarding no
  

  (This example demonstrates chrooting a user to their home directory for enhanced security).

System Architecture

graph LR
    A[User] --> B(SSH/Login Service);
    B --> C{PAM};
    C --> D[/etc/passwd];
    C --> E[/etc/shadow];
    B --> F[/home/<username>];
    F --> G[Shell (bash, zsh)];
    G --> H[Applications & Configuration Files];
    B --> I(systemd);
    I --> J(journald);
    F --> K(Filesystem - ext4, XFS);
    K --> L(Disk/Storage);

The diagram illustrates the flow of authentication and environment setup. The user interacts with a login service (SSH, console login), which utilizes PAM for authentication against /etc/passwd and /etc/shadow. Upon successful authentication, the login service sets up the user’s environment, including mounting and accessing the home directory. Systemd manages the login service and logs events to journald. The filesystem (ext4, XFS) provides the underlying storage for the home directory.

Performance Considerations

Home directories can become performance bottlenecks, especially with a large number of users or large files. I/O operations within the home directory directly impact user experience.

• I/O Monitoring: iotop -oPa (shows I/O activity per process, ordered by I/O usage).
• CPU Usage: htop (provides a real-time view of CPU usage and process activity).
• Filesystem Performance: iostat -x 1 (reports filesystem statistics, including read/write speeds).
• Sysctl Tuning: sysctl vm.vfs_cache_pressure (adjusts the kernel’s tendency to reclaim memory used for caching directory and inode information). Lower values increase caching, potentially improving performance but consuming more memory.
• Filesystem Choice: XFS generally performs better than ext4 for large files and high I/O workloads.
• SSD vs. HDD: Using SSDs for home directories significantly improves I/O performance.

Security and Hardening

• Permissions: chmod 700 /home/username (restricts access to the user only). Never allow group or world write access.
• AppArmor: Create AppArmor profiles to restrict the actions that applications within the home directory can perform.
• Fail2ban: Monitor SSH logs for failed login attempts and automatically ban malicious IPs. fail2ban-client status sshd
• UFW: Configure UFW to restrict SSH access to specific IP addresses or networks. sudo ufw allow from 192.168.1.0/24 to any port 22
• Auditd: Use auditd to track file access and modification within home directories. auditctl -w /home/username -p rwa -k home_dir_access
• Regular Audits: Periodically audit home directory permissions and ownership.

Automation & Scripting

Ansible Example:

- name: Create user with secure home directory
  user:
    name: "{{ username }}"
    home: "/home/{{ username }}"
    shell: /bin/bash
    createhome: yes
    state: present
  become: yes

- name: Set home directory permissions
  file:
    path: "/home/{{ username }}"
    owner: "{{ username }}"
    group: "{{ username }}"
    mode: '0700'
    recurse: yes
  become: yes

This Ansible playbook creates a user with a home directory and sets secure permissions. The become: yes directive ensures the tasks are executed with root privileges.

Logs, Debugging, and Monitoring

• journalctl -u sshd: Examine SSH daemon logs for authentication issues.
• dmesg: Check for filesystem errors or hardware issues.
• lsof /home/username: List open files within the home directory.
• strace -p <pid>: Trace system calls made by a process accessing the home directory.
• /var/log/auth.log: Traditional authentication logs (may be used in addition to journald).
• System Health Indicators: Monitor disk space usage in /home using tools like df -h.

Common Mistakes & Anti-Patterns

1. World-writable home directories: chmod 777 /home/username (Incorrect. Should be 700).
2. Using default SSH keys: Relying on default SSH keys instead of generating unique keys for each user.
3. Storing sensitive data in plain text: Storing passwords or API keys directly in home directory files.
4. Ignoring .ssh/authorized_keys permissions: Incorrect permissions on authorized_keys can allow unauthorized access.
5. Not regularly auditing home directory permissions: Permissions can drift over time due to accidental changes.

Best Practices Summary

1. Enforce 700 permissions: Restrict access to the user only.
2. Use SSH key-based authentication: Disable password authentication.
3. Implement AppArmor profiles: Restrict application behavior.
4. Centralize logging: Use journald and forward logs to a central logging server.
5. Regularly audit permissions: Automate permission checks.
6. Monitor disk space usage: Prevent disk full errors.
7. Use a dedicated filesystem: Consider a separate filesystem for /home.
8. Implement a robust backup strategy: Protect user data.
9. Automate user provisioning: Use Ansible or cloud-init.
10. Employ chroot environments where appropriate: For increased security.

Conclusion

The home directory is a foundational element of a secure and reliable Ubuntu system. Treating it as a simple storage location is a critical oversight. By understanding its intricacies, implementing robust security measures, and proactively monitoring its performance, we can significantly reduce the risk of security breaches and ensure a stable and productive environment. Actionable next steps include auditing existing systems for permission misconfigurations, building automated provisioning scripts, and establishing comprehensive monitoring and alerting for home directory-related events. Continuous vigilance and a deep understanding of these principles are essential for maintaining a secure and well-managed infrastructure.