LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Desktop (http://www.linuxquestions.org/questions/linux-desktop-74/)
-   -   User Accounts (http://www.linuxquestions.org/questions/linux-desktop-74/user-accounts-691200/)

mashcaster 12-17-2008 07:40 AM

User Accounts
 
Now that I have password protected the bios, changed the bios settings so the PC will not boot from anything except the master hdd, padlocked the case so the bios cannot be reset by changing the jumper, changed the bios settings to alert me if the case has been tampered with, and installed debian on an encrypted file system.

How do I setup a multi user machine where each users files, folders, program settings, and temporary files are protected, hidden, and locked from the other users?

pixellany 12-17-2008 08:24 AM

Maybe you should also lock it in a concrete vault guarded by 5 hungry dogs.....;)

Seriously, go into a terminal, su to root, and enter "adduser". The default creation of a new user will do most of what you want. I think the only thing you might need to change is the permissions. Do this in /home, using chmod -R <flags> username. This changes the permissions for the "username" directory and everything inside.

acid_kewpie 12-17-2008 08:24 AM

this is a default of a normal linux environment. one user would not be able to see another users /home/username/ directory.

jschiwal 12-17-2008 08:36 AM

Make sure their umask setting masks out the permissions of others. I don't know if the /tmp/kde-<username>/ directory will be private otherwise. Usa a umask command in the default /etc/profile file.

mashcaster 12-17-2008 09:31 AM

Quote:

Originally Posted by pixellany (Post 3378509)
Maybe you should also lock it in a concrete vault guarded by 5 hungry dogs.....;)

hmmm, interesting thought!

Might need to think about implementing that mission impossible environment, only without the hatch in the ceiling...

mashcaster 12-17-2008 09:32 AM

Quote:

Originally Posted by acid_kewpie (Post 3378510)
this is a default of a normal linux environment. one user would not be able to see another users /home/username/ directory.

In the last distro I tried, this was not the case.

mashcaster 12-17-2008 09:33 AM

Quote:

Originally Posted by jschiwal (Post 3378519)
Make sure their umask setting masks out the permissions of others. I don't know if the /tmp/kde-<username>/ directory will be private otherwise. Usa a umask command in the default /etc/profile file.

I'll have to look into this.

jschiwal 12-17-2008 11:26 AM

OpenSuSE uses the "users" group as the default group for new users. That is the first thing I fix, even though I'm the only user! It's the principle. You are still using the basic owner/group/permissions model however.

mashcaster 12-17-2008 03:03 PM

Why am I able to see the other users folder and why am I able to click through the other users folders and even open the users files?

http://img266.imageshack.us/img266/5...eenshothw0.png

What I cannot do is edit anything.

This is not good default behavior.

jschiwal 12-17-2008 03:12 PM

What are the user's permissions in /home? Look at "ls -ld /home/*".

Make sure that the group owner is unique. Make sure that the other's permissions on the directories in home don't allow any access.

You picture only shows the home directories for the two users. It doesn't show you entering them. Seeing the users home directories in /home is normal.

mashcaster 12-17-2008 03:19 PM

Quote:

Originally Posted by jschiwal (Post 3378985)
What are the user's permissions in /home? Look at "ls -ld /home/*".

Make sure that the group owner is unique. Make sure that the other's permissions on the directories in home don't allow any access.

I did

chmod -R 0711 /home

user@debian:~$ su
Password:
debian:/home/user# ls -ld /home/*
drwx--x--x 20 user user 4096 2008-12-17 20:03 /home/user
drwx--x--x 11 user2 user2 4096 2008-12-17 19:56 /home/user2
debian:/home/user#

Is that the best way?

mashcaster 12-17-2008 03:22 PM

Quote:

Originally Posted by jschiwal (Post 3378985)
You picture only shows the home directories for the two users. It doesn't show you entering them. Seeing the users home directories in /home is normal.

It may be normal, but why am I able to get into the other persons folders and open their files? That can't be normal can it?

rweaver 12-17-2008 03:35 PM

Quote:

Originally Posted by mashcaster (Post 3378995)
I did

chmod -R 0711 /home

user@debian:~$ su
Password:
debian:/home/user# ls -ld /home/*
drwx--x--x 20 user user 4096 2008-12-17 20:03 /home/user
drwx--x--x 11 user2 user2 4096 2008-12-17 19:56 /home/user2
debian:/home/user#

Is that the best way?

Those permissions mean this:

d <- Directory
rwx <- Read Write eXecute for User
--x <- eXecute for Group
--x <- eXecute for Everyone

For directory purposes read means being able to list contents, write means delete and create new contents, and execute means you can make the directory your current working directory.

For file purposes read means being able to view the contents of the file, write means being able to change the contents of the file, and execute means being able to run the file (binary or script).

There are also special permissions you can set additionally, but we'll avoid those for the moment being as they're not presently relevant.

For the purposes of what you're looking to do you pretty much want any personally owned directories to be permissions 700 and shared directories (that they don't need to be able to list the contents of) to be 711. For file permissions you're pretty much looking at a unilateral 600. Things won't get real tricky till you attempt to deal with /tmp.

Try this:

chmod 700 /home/user /home/user2

Permissions for files and folders work slightly differently. If you wish to make it so users can't see the home directories you'll have to deny them the ability to get a directory listing for the /home directory or chroot them into their home directory.

chmod 711 /home

Will remove the users ability to get a directory list in /home but still be able to access content under their own directory.

Of course, if you are logged in as root or a given program is functioning as root you more or a less can do anything you please.

Putting a restrictive umask will be necessary if you want to keep things remaining relative private.

It looks like you're using umask 066, you want to use umask 077 most likely.

Code:

me@here$ umask 066 && mkdir foo && touch bar
me@here$ umask 077 && mkdir foo2 && touch bar2
me@here$ ls -l
total 8
-rw------- 1 me me    0 2008-12-17 13:54 bar <- (Effective chmod 600)
-rw------- 1 me me    0 2008-12-17 13:54 bar2 <- (Effective chmod 600)
drwx--x--x 2 me me 4096 2008-12-17 13:54 foo <- (Effective chmod 711)
drwx------ 2 me me 4096 2008-12-17 13:54 foo2 <- (Effective chmod 700)
me@here$

However, remember umask only works on newly created directories and files after it is set. You probably want to set it in the system wide profile for what you're attempting to do. Also remember this kind of security is only as good as being able to prevent the user from getting root access... if they can sudo or su to root they can circumvent all the safeguards you're putting in place completely. Make your root password *very* secure. Keep the system completely updated.

hasanatizaz 12-17-2008 03:45 PM

you need to set
chmod 755 /home

please post the output of ls -ltr /home instead of gui so that its easier to see the permissions of default user home directories and see user and their groups.

all users home directory must be 700

mashcaster 12-17-2008 03:52 PM

So if I do

umask 0700, will that fix things for when I create further new users? i.e. prevent others from seeing there folders?


All times are GMT -5. The time now is 02:39 PM.