LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-27-2009, 05:12 PM   #16
kdelover
Member
 
Registered: Aug 2009
Posts: 311

Rep: Reputation: 36

well do this mount -o remount / and then

setfacl -m user:<some user name>:r-- /

Does it still say operation not permitted?
 
Old 08-27-2009, 05:12 PM   #17
karamarisan
Member
 
Registered: Jul 2009
Location: Illinois, US
Distribution: Fedora 11
Posts: 374

Rep: Reputation: 55
Quote:
Originally Posted by kdelover View Post
mount -o acl remount /
Code:
mount -o acl,remount /
I believe that's what you wanted.

OP - if all you want to do is give that user a different set of binaries, have you considered setting PATH=/media/usb/bin:$PATH? You could enforce that by adding a UID check and putting it in /etc/profile or similar, and you could use permissions or acls to prevent other users from seeing/running the directories where those new binaries were stored.
 
Old 08-27-2009, 05:14 PM   #18
anirvana
Member
 
Registered: Mar 2007
Posts: 31

Original Poster
Rep: Reputation: 15
Yep, unfortunately, I still get

setfacl: /: Operation not supported

Dang!
 
Old 08-27-2009, 05:15 PM   #19
kdelover
Member
 
Registered: Aug 2009
Posts: 311

Rep: Reputation: 36
are you doing it from root account or normal user? and do what karamarisan said there should be a comma there.
 
Old 08-27-2009, 05:34 PM   #20
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671
It looks like you want to chroot the users, or at least user2. You might want search on Google for chroot howto's. Having user2's system inside user1's home directory isn't a good idea. Especially as you want the the chroot environment there as well. You have to enable read and execute rights for the parent directories, which allows user2 access to user1's files. User1 on the other hand can unlink user2's directories, since user1 has write access to /home/user1/ and deleting files and directories is an operation on the parent directory. Also pendrives don't make the best device for an operating system.

Maybe you could explain why you need to do this. That might help us suggest a better solution.
 
Old 08-27-2009, 05:40 PM   #21
anirvana
Member
 
Registered: Mar 2007
Posts: 31

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by kdelover View Post
are you doing it from root account or normal user? and do what karamarisan said there should be a comma there.
@kdelover
I'm using sudo..and still getting the same msg! arrrgh!! (eating my fist)

@karamarisan
Quote:
OP - if all you want to do is give that user a different set of binaries, have you considered setting PATH=/media/usb/bin:$PATH? You could enforce that by adding a UID check and putting it in /etc/profile or similar, and you could use permissions or acls to prevent other users from seeing/running the directories where those new binaries were stored.
Thats a good idea. However, excuse my naiveness, but what you are saying is to add the place where binaries are on the USB disk to the user's path, right?

basically will using PATH=/media/usb/bin:$PATH? force an ls binary to run from /media/usb/bin/ rather than /bin/? for that user.

@jschiwal

I will look up chroot

Last edited by anirvana; 08-27-2009 at 05:42 PM.
 
Old 08-27-2009, 05:43 PM   #22
kdelover
Member
 
Registered: Aug 2009
Posts: 311

Rep: Reputation: 36
acl should work as far as i know,my bad i cant test it now
 
Old 08-27-2009, 05:59 PM   #23
anirvana
Member
 
Registered: Mar 2007
Posts: 31

Original Poster
Rep: Reputation: 15
@kdelover

are you kidding me! you've been awesomely helpful! no worries.
 
Old 08-27-2009, 05:59 PM   #24
karamarisan
Member
 
Registered: Jul 2009
Location: Illinois, US
Distribution: Fedora 11
Posts: 374

Rep: Reputation: 55
If the files you want alternates of are just binaries, then PATH modification is probably your best bet. Note that this is purely a convenience thing. With PATH=/media/usb/bin:..., if there is an ls in /media/usb/bin, that ls will be run instead of the system one, but user2 will still be able to run the system ls with /bin/ls if he wants to. Also note that is important that no more than root and possibly user2 be able to write to /media/usb/bin or any other directory you add this way, as you could otherwise be opening a serious local security hole.

chroot is overkill if all you want are alternate binaries. It would also affect a number of other things, as the root filesystem outside /media/usb would no longer be visible until the chroot was exited.
 
Old 08-27-2009, 06:10 PM   #25
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,357

Rep: Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367
From what the OP describes, I agree with jschiwal, chroot is a nice all encompassing solution.
 
Old 08-27-2009, 06:18 PM   #26
anirvana
Member
 
Registered: Mar 2007
Posts: 31

Original Poster
Rep: Reputation: 15
@karamarisan

I totally agree with your point, modifying the path so that the binaries in the USB stick run instead of the system is a great soln.

I am intrigued by chroot though I will look more into it.

Thanks again everyone.
 
Old 08-27-2009, 09:07 PM   #27
i92guboj
Gentoo support team
 
Registered: May 2008
Location: Lucena, Córdoba (Spain)
Distribution: Gentoo
Posts: 4,072

Rep: Reputation: 384Reputation: 384Reputation: 384Reputation: 384
I haven't read the whole thread, but, seriously, you are describing what chroot does in the first post.
 
Old 08-27-2009, 09:38 PM   #28
karamarisan
Member
 
Registered: Jul 2009
Location: Illinois, US
Distribution: Fedora 11
Posts: 374

Rep: Reputation: 55
OP: Take this as a lesson in presenting your problem rather than what you think is a solution. If all you need is alternate binaries for this user, you would have gotten the PATH business a lot sooner and that'd likely be it. You framed it like you need an entire filesystem, and a number of people have given chroot as a way to make that happen (as that's what it does).
 
Old 08-27-2009, 10:26 PM   #29
kdelover
Member
 
Registered: Aug 2009
Posts: 311

Rep: Reputation: 36
Ok i got back home and i tested what you were trying to do and it works for me :|

Quote:
root@wsx04:~# grep ACL /boot/config-2.6.31-5-generic
CONFIG_EXT2_FS_POSIX_ACL=y
CONFIG_EXT3_FS_POSIX_ACL=y
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_REISERFS_FS_POSIX_ACL=y
CONFIG_JFS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
Quote:
root@wsx04:~# clear
root@wsx04:~# mount -o remount,acl /
root@wsx04:~# mount
/dev/sda7 on / type ext4 (rw,errors=remount-ro,acl)
tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
Quote:
root@wsx04:~# setfacl -m user:ryan:--- /
root@wsx04:~# getfacl /
getfacl: Removing leading '/' from absolute path names
# file: .
# owner: root
# group: root
user::rwx
user:ryan:---
group::r-x
mask::r-x
other::r-x
The Result

Quote:
ryan@wsx04:~$ pwd
/home/ryan
ryan@wsx04:~$ cd ~/
bash: cd: /home/ryan/: Permission denied
ryan@wsx04:~$ cd ~/home
bash: cd: /home/ryan/home: Permission denied
ryan@wsx04:~$
And it seems to be working for me,hmmm since i gave ryan --- permissions that is no permission nothing seems to be working

Last edited by kdelover; 08-27-2009 at 10:29 PM.
 
Old 08-30-2009, 03:57 PM   #30
anirvana
Member
 
Registered: Mar 2007
Posts: 31

Original Poster
Rep: Reputation: 15
Everyone,
Thanks so much for the helpful pointers and code snippets. I have implemented the PATH solution and am looking at chroot now. I have got it working. I found some excellent tutorials via google about chroot.

One question though, as the root user of my system, if I grant a programmer access into a chroot jail, how can I move him back to the normal /home/user2 filesystem on m computer. I have found articles on "how to get out of chroot jail" and "how to break out of jail" etc.. but they don't seem to be quite elegant. They all use the fact that the root user can't be jailed and so the chrooted guy performs actions to elevate himself to root level and hence gets out or maybe follows a hard link..etc..

Can someone please suggest a clean way to allow a chrooted user back into the main filesystem.

Situation: User2 logs into my computer and is hived off to a chrooted environment, he does some stuff, and then I as the root user decide it is time to move user2 onto the main file system.

One possible way, I thought of, based on this thread is to possibly go and put links in the chrooted environment for user2 pointing to the /home/user2 on the main filesystem. But chroot won't allow user2 to follow those soft links (as it should). Also it seems hard links can't be made to directories.

Can anyone give me some advice about bringing a user back from a chrooted environment to the main filesystem.

Thanks again in advance.

EDIT============

I mean moving user2 into the main file system in a transparent manner if possible. For example: user2 logs in and is thrown into chrooted env, he does some stuff, and then automatically (magically, after 20 seconds or completing some tasks etc..) is now able to browse the main file system, thereby not being restricted by chroot, without having to do any "jailbreaking" explicitly.

Last edited by anirvana; 08-30-2009 at 04:00 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
System gets hanged when i enter into /home directory [FC3] scandalouskk Linux - General 9 05-05-2009 09:40 PM
fopen a file in home directory Four Programming 2 04-07-2007 04:52 PM
need to link a home directory to an apache directory Melsync Linux - Server 3 09-30-2006 05:08 AM
How to protect a file/directory in your home login directory (RH Linux) jitsenho Linux - Security 9 07-03-2006 11:08 PM
how to locate file in home directory learnfast Linux - Newbie 3 03-14-2005 07:15 AM


All times are GMT -5. The time now is 04:17 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration