LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Desktop
User Name
Password
Linux - Desktop This forum is for the discussion of all Linux Software used in a desktop context.

Notices

Reply
 
Search this Thread
Old 12-17-2008, 06:40 AM   #1
mashcaster
Member
 
Registered: Dec 2008
Posts: 67

Rep: Reputation: 15
User Accounts


Now that I have password protected the bios, changed the bios settings so the PC will not boot from anything except the master hdd, padlocked the case so the bios cannot be reset by changing the jumper, changed the bios settings to alert me if the case has been tampered with, and installed debian on an encrypted file system.

How do I setup a multi user machine where each users files, folders, program settings, and temporary files are protected, hidden, and locked from the other users?
 
Old 12-17-2008, 07:24 AM   #2
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728
Maybe you should also lock it in a concrete vault guarded by 5 hungry dogs.....

Seriously, go into a terminal, su to root, and enter "adduser". The default creation of a new user will do most of what you want. I think the only thing you might need to change is the permissions. Do this in /home, using chmod -R <flags> username. This changes the permissions for the "username" directory and everything inside.
 
Old 12-17-2008, 07:24 AM   #3
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,398

Rep: Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965
this is a default of a normal linux environment. one user would not be able to see another users /home/username/ directory.
 
Old 12-17-2008, 07:36 AM   #4
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Make sure their umask setting masks out the permissions of others. I don't know if the /tmp/kde-<username>/ directory will be private otherwise. Usa a umask command in the default /etc/profile file.
 
Old 12-17-2008, 08:31 AM   #5
mashcaster
Member
 
Registered: Dec 2008
Posts: 67

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by pixellany View Post
Maybe you should also lock it in a concrete vault guarded by 5 hungry dogs.....
hmmm, interesting thought!

Might need to think about implementing that mission impossible environment, only without the hatch in the ceiling...

Last edited by mashcaster; 12-18-2008 at 06:47 AM.
 
Old 12-17-2008, 08:32 AM   #6
mashcaster
Member
 
Registered: Dec 2008
Posts: 67

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by acid_kewpie View Post
this is a default of a normal linux environment. one user would not be able to see another users /home/username/ directory.
In the last distro I tried, this was not the case.
 
Old 12-17-2008, 08:33 AM   #7
mashcaster
Member
 
Registered: Dec 2008
Posts: 67

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by jschiwal View Post
Make sure their umask setting masks out the permissions of others. I don't know if the /tmp/kde-<username>/ directory will be private otherwise. Usa a umask command in the default /etc/profile file.
I'll have to look into this.
 
Old 12-17-2008, 10:26 AM   #8
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
OpenSuSE uses the "users" group as the default group for new users. That is the first thing I fix, even though I'm the only user! It's the principle. You are still using the basic owner/group/permissions model however.
 
Old 12-17-2008, 02:03 PM   #9
mashcaster
Member
 
Registered: Dec 2008
Posts: 67

Original Poster
Rep: Reputation: 15
Why am I able to see the other users folder and why am I able to click through the other users folders and even open the users files?

http://img266.imageshack.us/img266/5...eenshothw0.png

What I cannot do is edit anything.

This is not good default behavior.
 
Old 12-17-2008, 02:12 PM   #10
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
What are the user's permissions in /home? Look at "ls -ld /home/*".

Make sure that the group owner is unique. Make sure that the other's permissions on the directories in home don't allow any access.

You picture only shows the home directories for the two users. It doesn't show you entering them. Seeing the users home directories in /home is normal.

Last edited by jschiwal; 12-17-2008 at 02:16 PM.
 
Old 12-17-2008, 02:19 PM   #11
mashcaster
Member
 
Registered: Dec 2008
Posts: 67

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by jschiwal View Post
What are the user's permissions in /home? Look at "ls -ld /home/*".

Make sure that the group owner is unique. Make sure that the other's permissions on the directories in home don't allow any access.
I did

chmod -R 0711 /home

user@debian:~$ su
Password:
debian:/home/user# ls -ld /home/*
drwx--x--x 20 user user 4096 2008-12-17 20:03 /home/user
drwx--x--x 11 user2 user2 4096 2008-12-17 19:56 /home/user2
debian:/home/user#

Is that the best way?
 
Old 12-17-2008, 02:22 PM   #12
mashcaster
Member
 
Registered: Dec 2008
Posts: 67

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by jschiwal View Post
You picture only shows the home directories for the two users. It doesn't show you entering them. Seeing the users home directories in /home is normal.
It may be normal, but why am I able to get into the other persons folders and open their files? That can't be normal can it?
 
Old 12-17-2008, 02:35 PM   #13
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
Quote:
Originally Posted by mashcaster View Post
I did

chmod -R 0711 /home

user@debian:~$ su
Password:
debian:/home/user# ls -ld /home/*
drwx--x--x 20 user user 4096 2008-12-17 20:03 /home/user
drwx--x--x 11 user2 user2 4096 2008-12-17 19:56 /home/user2
debian:/home/user#

Is that the best way?
Those permissions mean this:

d <- Directory
rwx <- Read Write eXecute for User
--x <- eXecute for Group
--x <- eXecute for Everyone

For directory purposes read means being able to list contents, write means delete and create new contents, and execute means you can make the directory your current working directory.

For file purposes read means being able to view the contents of the file, write means being able to change the contents of the file, and execute means being able to run the file (binary or script).

There are also special permissions you can set additionally, but we'll avoid those for the moment being as they're not presently relevant.

For the purposes of what you're looking to do you pretty much want any personally owned directories to be permissions 700 and shared directories (that they don't need to be able to list the contents of) to be 711. For file permissions you're pretty much looking at a unilateral 600. Things won't get real tricky till you attempt to deal with /tmp.

Try this:

chmod 700 /home/user /home/user2

Permissions for files and folders work slightly differently. If you wish to make it so users can't see the home directories you'll have to deny them the ability to get a directory listing for the /home directory or chroot them into their home directory.

chmod 711 /home

Will remove the users ability to get a directory list in /home but still be able to access content under their own directory.

Of course, if you are logged in as root or a given program is functioning as root you more or a less can do anything you please.

Putting a restrictive umask will be necessary if you want to keep things remaining relative private.

It looks like you're using umask 066, you want to use umask 077 most likely.

Code:
me@here$ umask 066 && mkdir foo && touch bar
me@here$ umask 077 && mkdir foo2 && touch bar2 
me@here$ ls -l
total 8
-rw------- 1 me me    0 2008-12-17 13:54 bar <- (Effective chmod 600)
-rw------- 1 me me    0 2008-12-17 13:54 bar2 <- (Effective chmod 600)
drwx--x--x 2 me me 4096 2008-12-17 13:54 foo <- (Effective chmod 711)
drwx------ 2 me me 4096 2008-12-17 13:54 foo2 <- (Effective chmod 700)
me@here$
However, remember umask only works on newly created directories and files after it is set. You probably want to set it in the system wide profile for what you're attempting to do. Also remember this kind of security is only as good as being able to prevent the user from getting root access... if they can sudo or su to root they can circumvent all the safeguards you're putting in place completely. Make your root password *very* secure. Keep the system completely updated.

Last edited by rweaver; 12-17-2008 at 03:00 PM. Reason: functional effect of perms, root perms, umask
 
Old 12-17-2008, 02:45 PM   #14
hasanatizaz
Member
 
Registered: Nov 2007
Location: Pakistan
Distribution: Redhat and Debian
Posts: 302
Blog Entries: 1

Rep: Reputation: 34
you need to set
chmod 755 /home

please post the output of ls -ltr /home instead of gui so that its easier to see the permissions of default user home directories and see user and their groups.

all users home directory must be 700

Last edited by hasanatizaz; 12-17-2008 at 02:54 PM.
 
Old 12-17-2008, 02:52 PM   #15
mashcaster
Member
 
Registered: Dec 2008
Posts: 67

Original Poster
Rep: Reputation: 15
So if I do

umask 0700, will that fix things for when I create further new users? i.e. prevent others from seeing there folders?
 
  


Reply

Tags
chmod, exec, find, permissions, umask


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
user accounts rmorgan Linux - Server 0 10-31-2006 10:40 AM
LXer: Linux 101: Manage user accounts in a multi-user Linux environment ... LXer Syndicated Linux News 0 06-27-2006 07:03 AM
User Accounts Verbal Kint Linux - Security 12 06-18-2005 12:11 AM
User Accounts Kemik Linux - Newbie 13 01-12-2005 04:24 PM
User Accounts kaplan71 Linux - General 1 07-08-2004 01:19 PM


All times are GMT -5. The time now is 09:30 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration