LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-25-2009, 06:53 PM   #1
AGazzaz
Member
 
Registered: Nov 2005
Location: Egypt
Distribution: Fedora 17 KDE
Posts: 381

Rep: Reputation: 31
Explain Linux folder permission


Hello,
I have been using linux for years now but I have never thought about this until now

What if I want to deny a specific user from accessing a specific folder, how can this be done?

This command is after a quick search
Quote:
Set the permissions for the user and the group to read and execute only (no write permission) on mydir.

$ chmod ug=rx mydir
$ ls -ld mydir
dr-xr-x--- 2 unixguy uguys 96 Dec 8 12:53 mydir
where did this command specify the user or the group?
and as a modern linux user how can this be done through the GUI? (you may not answer that)

In the permissions tab in any file properties under "Advanced permissions" you will find three check boxes "Set UID", "Set GID" and "Sticky" what are these?

Thank you.

Last edited by AGazzaz; 10-25-2009 at 06:57 PM.
 
Old 10-25-2009, 07:33 PM   #2
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,241

Rep: Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325
Last qns sound like homework, so I'll just say: http://linux.die.net/man/1/chmod
 
Old 10-25-2009, 09:31 PM   #3
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738
Hmmmm---starts like a real question and ends sounding like homework.....

I'm not up on the "sticky" part, so I'll stick to basics....pun unintentional....

For any file or directory, you have 3 entities: the owner, the group, and everyone else. To control access to ONE item, simply assign it to a unique group, and then manage who gets assigned to that group....

To the best of my knowledge, there is no simple way to deny just one user---you have to just make sure that he or she is the only one not assigned to the unique group.
 
Old 10-25-2009, 10:49 PM   #4
rich_c
Member
 
Registered: Apr 2008
Location: UK
Distribution: Mepis; Maemo; openSUSE
Posts: 384
Blog Entries: 74

Rep: Reputation: 81
There was a very good article abouot just this in the most recent Linux Format #125.
 
Old 10-25-2009, 11:05 PM   #5
lwasserm
Member
 
Registered: Mar 2008
Location: Baltimore Md
Distribution: ubuntu
Posts: 184

Rep: Reputation: 41
Quote:
Originally Posted by pixellany View Post
.....

...there is no simple way to deny just one user---you have to just make sure that he or she is the only one not assigned to the unique group.
Actually IIRC, there is a fairly simple approach that goes something like this:

Code:
$ chown other-user:excluded-user file
$ chmod 707 file
 
Old 10-25-2009, 11:39 PM   #6
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 670Reputation: 670Reputation: 670Reputation: 670Reputation: 670Reputation: 670
Also look at the manpage for setfacl. I will sometimes have to resort to the manpage to remember the exact syntax, so I'm not really RTFM'ing you. The manpage has examples, which are clearer then using the --help option.

If there is already a group assigned, and you need more granular control, setfacl can help. Especially in a case such as when the group has read-only access but you want a particular user to have read-write control.

Of course, you should create your own users and learn by experimentation, using chmod, chgrp and setfacl on a directory and gain first hand experience using permissions.
 
Old 10-26-2009, 06:14 AM   #7
AGazzaz
Member
 
Registered: Nov 2005
Location: Egypt
Distribution: Fedora 17 KDE
Posts: 381

Original Poster
Rep: Reputation: 31
Thank you all,

First, I have finished my education for a very long time so this is not a homework.
Second, I am Microsoft Certified and administering a windows 2003 server and of course a windows network. Linux OS is on my personal laptop only so there is no one using it but me. I have never thought about securing a folder in linux until I read this article yesterday about windows 7 security.

In windows you can explicitly deny a user from accessing a folder in a couple of simple steps but it seems to be more than that in Linux. and your replies just made me think I have to go out to the very beginning to understand how to do such a simple task. for example in all those years I have not heard/used chown, setfacl, getfacle, acl or umask. Only chmod 777 and sometimes done with kdesudo dolphin so I do not have to open a konsole

I do not know where to start but I need a source that will sum all things up not a man page explaining a single command or a command for a single task. if you know such source please let me know

Thank you.
 
Old 10-26-2009, 09:41 AM   #8
merchtemeagle
Member
 
Registered: Oct 2004
Location: Belgium
Distribution: Slackware 13.37
Posts: 512

Rep: Reputation: 31
Linux Files and File Permission
 
Old 10-26-2009, 10:31 AM   #9
thorkelljarl
Senior Member
 
Registered: Jun 2008
Posts: 1,787

Rep: Reputation: 211Reputation: 211Reputation: 211
There is also, for example...

http://tldp.org/HOWTO/DOS-Win-to-Linux-HOWTO-4.html

If that HOWTO wasn't helpful, there are many others; tldp has collected many sources of information in one place.

http://tldp.org/

Last edited by thorkelljarl; 10-26-2009 at 10:47 AM.
 
Old 10-26-2009, 10:43 AM   #10
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738
Quote:
Originally Posted by lwasserm View Post
Actually IIRC, there is a fairly simple approach that goes something like this:

Code:
$ chown other-user:excluded-user file
$ chmod 707 file
Does not that syntax change the owner and the group attributes for the file? i.e. you would still have to assign your restricted user to the "excluded-user" group.
 
Old 10-26-2009, 07:47 PM   #11
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,241

Rep: Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325
Fundamentally, Linux perms are built around the concept of restricting positive access, not specifying negative access.
IOW, get the correct ownerships (user:group) and give the minimum reqd access perms (of rwx) to each of ugo (user,group,other).
For finer tuning, you may add acls.
 
Old 10-26-2009, 07:53 PM   #12
AGazzaz
Member
 
Registered: Nov 2005
Location: Egypt
Distribution: Fedora 17 KDE
Posts: 381

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by chrism01 View Post
Fundamentally, Linux perms are built around the concept of restricting positive access, not specifying negative access.
IOW, get the correct ownerships (user:group) and give the minimum reqd access perms (of rwx) to each of ugo (user,group,other).
For finer tuning, you may add acls.
I think you mean that the computer is restricted to the root account only and whoever I want to access a folder I give them a permission for that specific folder, other than that the user is already restricted

Am I correct?
 
Old 10-26-2009, 08:02 PM   #13
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,241

Rep: Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325
Not exactly. That link in post #8 is good. Have a read first, then come back with any qns.
Just point out that for a file rwx = read,write,execute; for a dir its read,write,x=search(!).
See also http://en.wikipedia.org/wiki/File_system_permissions
 
Old 10-27-2009, 04:51 PM   #14
lwasserm
Member
 
Registered: Mar 2008
Location: Baltimore Md
Distribution: ubuntu
Posts: 184

Rep: Reputation: 41
Quote:
Originally Posted by pixellany View Post
Does not that syntax change the owner and the group attributes for the file? i.e. you would still have to assign your restricted user to the "excluded-user" group.
On the systems I am familiar with every user has a default group that is the same as their username. What I meant was, assign ownership of the file to some arbitrary user, and assign the group to that default self-named group of the user to be excluded, not to some larger group that includes the user. While I think that approach would work, after thinking about it some more, I believe my memory may have been in error. See what you think about this example:

The username to be excluded is "excluded-guy"
The file is named FILE
We want everyone else to be able to read or write to the file.
Then root could do:

# chown excluded-guy:root FILE
chmod 077 FILE

If FILE was in a directory owned by root, then anyone except excluded-guy could read or write, but not delete FILE, and excluded-guy could do neither, but would be able to see it in a directory listing. Imagine the frustration of being the owner of a file, yet you can't read, write, or delete it!
 
Old 10-27-2009, 06:48 PM   #15
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,241

Rep: Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325
Give it a try on a test file/dir. I suspect that the owner could (should be able to) change the perms.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off




All times are GMT -5. The time now is 12:01 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration