LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (http://www.linuxquestions.org/questions/linux-general-1/)
-   -   New user with own rights, should only can access to his own directory and processes (http://www.linuxquestions.org/questions/linux-general-1/new-user-with-own-rights-should-only-can-access-to-his-own-directory-and-processes-4175414137/)

Sebi94 06-30-2012 07:07 AM

New user with own rights, should only can access to his own directory and processes
 
Hello!
I want to realize something. I hope, you can help me. And sorry for my english. I'm from germany.

I want to add an user, which has his own directory and can only access to this directory. He should not be able to use "/etc/init.d/..." or "/var/www/..." or something else. He should have his own directory, like that: "/home/<user>/..."

And there is it him allowed to do all, what root allowed him. This user in my example should be able to run a server (called "Minecraft") with his permissions and he should be able to remove, copy, move and/or edit some files of this server. This server files are all in his own directory (/home/<user>/).

But it isn't allowed him, to edit, create, move and/or delete something of a another direcotry, like "/var/www/" or "/home/root/...".

It isn't him allowed to use the root permissions. And he should be able to login via SSH on the server with his own credentials (username + HIS OWN password).

I hope, somebody can follow me and explain me, how I can create this user like described here.

Thank you!

jschiwal 06-30-2012 08:11 AM

The user will need to read some system directories such as /bin/, and /etc/ to be able to run programs.

Check the permissions on your server to make sure they aren't too permissive. A regular user can read /etc/init.d/ but not execute the files as root. Check the permissions for "other". Regular users not part of a httpd or www group shouldn't be allowed access to /var/www/.

If the server's filesystem uses the ACL mount option, you could use setfacl to deny this particular user access to files & directories.

You could use ALLOW USERS in /etc/ssh/sshd_config to list the users allowed ssh access. All other users will be denied. This is a quick and easy way to disallow all system users ssh access. Also consider using PUBKEY authentication for SSH.

Sebi94 06-30-2012 02:55 PM

Okay, all right. But what have I to do now exactly?

I haven't got a graphical user interface (= GUI) on the server. It's only a terminal. How can I say my server-system, that he should add this user with the here named permissions?

Easily like that?
adduser --home /Tobias Tobias

And that's all, that the permissions are right? :eek:

EDIT: I have a little problem. The new user can't edit the files of the server, cause of permission issues. How can I say, that it is allowed him (for only this files)?

jschiwal 07-02-2012 07:38 AM

Please be more specific. Are you saying the user can't edit his own file in his HOME directory? If not list the permissions and ownership of the containing directory (ls -ld <dir>) and of the files the user needs to edit. Consider adding the user to a group, if the directory and file ownerships use the group ownership for this purpose. You could also use setfacl to add permissions for another user or group. You can create a default ACL on the parent directory so new directories and files inherit the ACL.

Sebi94 07-02-2012 11:15 AM

I created a user with a home directory: adduser --home /minecraft tobias.

Quote:

user@linux:/# ls -ld /minecraft
drwxr-xr-x 12 tobias tobias 800 Jun 30 23:37 /minecraft
He should be able to edit each file and directory in this directory "/minecraft/". But he hasn't got the permissions to edit files. For example this one:
Quote:

Originally Posted by text file
user@linux:/# ls -ld /minecraft/server.properties
-rw-r--r-- 1 tobias tobias 447 Jun 30 23:23 /minecraft/server.properties

Quote:

Originally Posted by all files & directories
user@linux:/# ls -ld /minecraft/*
-rw-r--r-- 1 tobias tobias 0 Jun 30 23:24 /minecraft/banned-ips.txt
-rw-r--r-- 1 tobias tobias 0 Jun 30 23:24 /minecraft/banned-players.txt
-rw-r--r-- 1 tobias tobias 1311 Jun 30 23:24 /minecraft/bukkit.yml
-rw-r--r-- 1 root root 11592470 Jun 10 03:09 /minecraft/craftbukkit.jar
-rw-r--r-- 1 tobias tobias 46 Jun 30 23:15 /minecraft/craftbukkit.sh
-rw-r--r-- 1 tobias tobias 2576 Jun 30 23:05 /minecraft/help.yml
-rw-r--r-- 1 root root 1022 Jun 30 23:38 /minecraft/hilfe.txt
-rw-r--r-- 1 tobias tobias 5 Jun 30 23:24 /minecraft/ops.txt
-rw-r--r-- 1 tobias tobias 0 Jun 30 23:06 /minecraft/permissions.yml
drwxr-xr-x 2 tobias tobias 48 Jun 30 23:05 /minecraft/plugins
-rw-r--r-- 1 tobias tobias 25389 Jun 30 23:28 /minecraft/server.log
-rw-r--r-- 1 tobias tobias 447 Jun 30 23:23 /minecraft/server.properties
-rw-r--r-- 1 tobias tobias 0 Jun 30 23:24 /minecraft/white-list.txt
drwxr-xr-x 5 tobias tobias 240 Jun 30 23:28 /minecraft/world
drwxr-xr-x 5 tobias tobias 240 Jun 30 23:28 /minecraft/world_nether
drwxr-xr-x 5 tobias tobias 240 Jun 30 23:28 /minecraft/world_the_end

Would there help a "chmod 777 /minecraft/*"?

Quote:

Originally Posted by getfacl
user@linux:/# getfacl minecraft
# file: minecraft
# owner: tobias
# group: tobias
user::rwx
group::r-x
other::r-x

user@linux:/# getfacl minecraft/*
# file: minecraft/banned-ips.txt
# owner: tobias
# group: tobias
user::rw-
group::r--
other::r--

# file: minecraft/banned-players.txt
# owner: tobias
# group: tobias
user::rw-
group::r--
other::r--

# file: minecraft/bukkit.yml
# owner: tobias
# group: tobias
user::rw-
group::r--
other::r--

# file: minecraft/craftbukkit.jar
# owner: root
# group: root
user::rw-
group::r--
other::r--

# file: minecraft/craftbukkit.sh
# owner: tobias
# group: tobias
user::rw-
group::r--
other::r--

# file: minecraft/help.yml
# owner: tobias
# group: tobias
user::rw-
group::r--
other::r--

# file: minecraft/hilfe.txt
# owner: root
# group: root
user::rw-
group::r--
other::r--

# file: minecraft/ops.txt
# owner: tobias
# group: tobias
user::rw-
group::r--
other::r--

# file: minecraft/permissions.yml
# owner: tobias
# group: tobias
user::rw-
group::r--
other::r--

# file: minecraft/plugins
# owner: tobias
# group: tobias
user::rwx
group::r-x
other::r-x

# file: minecraft/server.log
# owner: tobias
# group: tobias
user::rw-
group::r--
other::r--

# file: minecraft/server.properties
# owner: tobias
# group: tobias
user::rw-
group::r--
other::r--

# file: minecraft/white-list.txt
# owner: tobias
# group: tobias
user::rw-
group::r--
other::r--

# file: minecraft/world
# owner: tobias
# group: tobias
user::rwx
group::r-x
other::r-x

# file: minecraft/world_nether
# owner: tobias
# group: tobias
user::rwx
group::r-x
other::r-x

# file: minecraft/world_the_end
# owner: tobias
# group: tobias
user::rwx
group::r-x
other::r-x


Sebi94 07-21-2012 08:52 PM

Well... My actually solutions seems like that:

chmod -R 770 /minecraft
chmod -R 770 /minecraft/*

chown -R tobias:tobias /minecraft
chown -R tobias:tobias /minecraft/*


Now is he self the owner of this directory and all files have the permissions 770 (root and user: all permissions, others: nothing).


All times are GMT -5. The time now is 05:57 AM.