LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-19-2003, 05:05 AM   #1
ETeria
Member
 
Registered: Mar 2003
Location: Monza (MI)
Posts: 65

Rep: Reputation: 15
Question Setting user limitations ...


I have prepared a new user profile on my machine for test it, now i would like that this user can see his home dir like the root, i do not want that he can go to the real root dir and that he can explore all the system ... how can i do this???
 
Old 03-19-2003, 07:16 AM   #2
Phonics3k
Member
 
Registered: Jun 2002
Location: Wales, UK
Distribution: Gentoo 2005.1
Posts: 213

Rep: Reputation: 30
He might be able to get into the root directory, but he shouldnt be able to access anythin when he gets there.
 
Old 03-19-2003, 06:44 PM   #3
ETeria
Member
 
Registered: Mar 2003
Location: Monza (MI)
Posts: 65

Original Poster
Rep: Reputation: 15
Yes he can access, he can copy on his home dir everything he find and he can manipulate (open for read and edit) the files copied ...
For example he can open the /etc/passwd file and read it, i do not want this, i would like to limit his ability of exploring the directories ...
 
Old 03-19-2003, 06:54 PM   #4
Dark_Helmet
Senior Member
 
Registered: Jan 2003
Posts: 2,786

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
First, just because the user can read/copy the file does not necessarily pose a security threat. If you use Shadow passwords, then the /etc/passwd file will contain only an 'x' for the password field.

If you're determined though, this may work (i.e. I have never tried it myself):
as root, type 'chmod 750 /'

That should allow only the owner of the root directory (root) to read, write, and display the contents of the directory. Then group permissions allow reading and listing (but no writing), and no permissions for anyone else.

Again, i haven't done that before... read the man page on chmod before you try...
 
Old 03-19-2003, 08:29 PM   #5
cuckoopint
Member
 
Registered: Feb 2003
Distribution: Debian
Posts: 797

Rep: Reputation: 30
Quote:
Yes he can access, he can copy on his home dir everything he find and he can manipulate (open for read and edit) the files copied ...
For example he can open the /etc/passwd file and read it, i do not want this, i would like to limit his ability of exploring the directories ...
If you're paranoid, a restricted shell acount for a particular user really helps. Also, look into chroot.
 
Old 03-20-2003, 08:03 PM   #6
ETeria
Member
 
Registered: Mar 2003
Location: Monza (MI)
Posts: 65

Original Poster
Rep: Reputation: 15
Tnx, i'll try to to test chmod and chroot
 
Old 03-21-2003, 10:14 PM   #7
ETeria
Member
 
Registered: Mar 2003
Location: Monza (MI)
Posts: 65

Original Poster
Rep: Reputation: 15
I did not use chroot because it does not make what i need ...
... i finded a book with a good documentation on the chmod with inside the meaning of the numbers to apply to the chmod command. So i tried 'chmod 750 /' but i had very bad results: i needed to use again chmod on some /etc/ssh/ files because the ssh has been disactivated, ssh problem has been resolved.
Also i am not been able to open again a bash console inside the KDE and if i try to use by the KDE mený some tools like the Yast2 of the SUSE (this require the "su" tool) i have a message that say: "impossible to find su program"
"su" program is in the /bin directory, i can see it with the konqueror file manager ...
Is there a system for restoring the su command and the bash console in the KDE environment???
 
Old 03-21-2003, 10:34 PM   #8
Dark_Helmet
Senior Member
 
Registered: Jan 2003
Posts: 2,786

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
Ok, let me explain what the chmod command did.

It said that normal users cannot get the contents of the root directory. It was serious overkill after I gave it some though. In other words, the ONLY thing a user could see is his/her home directory and any subdirectories. Since /bin/su is not in your home directory, it tries to find the command by searching in /bin, which is a subdirectory of /. Again, you do not have permission to even look at the contents of the / directory. Furthermore, you probably couldn't execute ANY command from the command line. The chmod COMPLETELY shut off the access to anything but the user's home directory.

Since that's obviously not what you want from your reply, then you'll have to be a bit more selective in what directories to block off, and I have a feeling you're going to pull your hair out. To be usable, you'd need to reinstate the original chmod for the / directory (chmod 755 /). Now you have to decide which directories you don't want regular users to access. From your original post, you don't want them to see /etc/passwd. So, you have at least two options:
1) chmod 750 /etc
2) chmod 750 /etc/passwd

The first will, just like before, block any access to the /etc directory. Be careful, because user application might want to read some files in that directory. If they can't read them, they might not work. The second option blocks off access to the file itself. It may be the cleanest solution, but that means you'll have to block off every file in your system that you don't want the user to see. You should be getting an idea of why you might start pulling your hair out. There are thousands of files on the system.

So, it's up to you to decide which strategy is best for you. Do you want to go down all the way to the file level? If not, will you/can you block entire (sub-)directories and still have a system that users will be productive on? Welcome to the world of file permissions...

Last edited by Dark_Helmet; 03-21-2003 at 10:36 PM.
 
Old 03-22-2003, 12:32 PM   #9
ETeria
Member
 
Registered: Mar 2003
Location: Monza (MI)
Posts: 65

Original Poster
Rep: Reputation: 15
Azzzzz, i really have started to pull my hair down ... i thank you for your help, but now the problem, i think has become bigger: i don't know how but i can not use the su tool and the bash consoles in the KDE environment with my normal abitual user, i did in the root diretory 'chmod 755 /bin' and also i tried 'chmod 777 /bin'. Is there a config file with inside the path of the /bin directory that set the standards path of the KDE environment???
 
Old 03-22-2003, 01:34 PM   #10
Dark_Helmet
Senior Member
 
Registered: Jan 2003
Posts: 2,786

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
Well, just changing /bin won't do it, and here's why.

When a program is started, it gets the permissions of the user that started it the program. For clarity, let's just assume we're using an account named eteria. I we launch a program, it can only read and write to directories or files that user eteria can read or write to. So, letting the user start the application is only the first part of the problem.

Specifically, a program will usually want to read configuration files. Sometimes those files are located in various places. The two likely spots are your home directory and the /etc directory. If the user can't read the / directory, then the program can't read its configuration in /etc. Thus, the program might not run at all.

Another similar problem is what are called libraries. These are similar to the DLLs in the Windows world. They are files containing executable code that all the programs on your computer can share. Think of them as repositories for common tasks that programs need access to. Libraries are stored in various places on a machine, just like configuration files. They typically are found in "lib" directories such as /lib, /usr/lib, /usr/shared/lib, and others. Again, if the user can't read the / directory, then the program is denied the ability to look at the repository. Just like the problem with the config files, the program is likely to fail.

You need to 'chmod 755 /' to restore read access to your root directory. Doing a 'chmod 755 /bin' won't help because bin is a subdirectory of /. If you can't read /, you can't read any subdirectories. That's what I was getting at before. Open up the / directory again, and then decide which directories you want to deny access to rather than deciding what you want ot give access to. Make sense?
 
Old 03-22-2003, 05:57 PM   #11
ETeria
Member
 
Registered: Mar 2003
Location: Monza (MI)
Posts: 65

Original Poster
Rep: Reputation: 15
I did
chmod 755 /
i do not explain to myself what is happening, i opened a shell with an emacs X client
M-x shell
and i used the commands:
bash
konsole

The first (bash) should open a standard shell but does not make anything, the second (konsole) should open a standard KDE console but gives me a message that say:
eteria@eteriaMachine:~> konsole
/usr/lib/qt3/plugins/imageformats/libqjpeg.so: Feature JPEG already defined in /usr/lib/qt-3.0.3/plugins/imageformats/libqjpeg.so!
/usr/lib/qt3/plugins/imageformats/libqmng.so: Feature MNG already defined in /usr/lib/qt-3.0.3/plugins/imageformats/libqmng.so!
Can't open a pseudo teletype

I don't understand how can this be a conseguence of the first time that i made 'chmod 750 /' ...
 
Old 03-22-2003, 09:09 PM   #12
Dark_Helmet
Senior Member
 
Registered: Jan 2003
Posts: 2,786

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
Ok, you never explicitly said you changed / back. You mentioned changing some ssh files, but not /.

No problem. Verfy for me that / is restored; not that I don't trust you, but because I'd like to know what the system is saying. Do 'ls -ld /' and post the results.

Had you successfully opened bash ans konsole through emacs before? When you do 'M-x shell' it opens the users default shell. So there's no need to execte bash unless your system defaults you to something else (like tcsh, korn, or others). If you do execute bash, it will not open a new window for you. That's true of the command line as well as emacs. When you run 'bash' it runs on top of the current shell; it doesn't start a new window.

Secondly, I'm not sure if launching konsole through emacs will accomplish what you want. What is is you're trying to do? Understanding then end goal might help explain roadblocks getting there.
 
Old 03-22-2003, 09:12 PM   #13
Dark_Helmet
Senior Member
 
Registered: Jan 2003
Posts: 2,786

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
Did you install a new version of the qt libraries?

It looks like your system has two versions of qt on it:
qt version 3
qt version 3.0.3

If so, that might be the cause of your problems. You ought to uninstall the older library.
 
Old 03-22-2003, 11:31 PM   #14
ETeria
Member
 
Registered: Mar 2003
Location: Monza (MI)
Posts: 65

Original Poster
Rep: Reputation: 15
ls -ld /
drwxr-xr-x 18 root root 4096 mar 23 04:35 /

This is the result, boh perhaps is better that i reinstall all ...
 
Old 03-23-2003, 12:03 AM   #15
ETeria
Member
 
Registered: Mar 2003
Location: Monza (MI)
Posts: 65

Original Poster
Rep: Reputation: 15
ah, also i made this:
eteria@eteriaMachine:/usr/lib> ls -l qt3
lrwxrwxrwx 1 root root 9 mar 23 05:22 qt3 -> qt-3.0.3/

I can not disinstall qt3 because is a link to qt-3.0.3 ... my head is turning always faster ...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Setting up a new user iqbala Linux - Software 4 10-23-2005 04:10 PM
New User FTP/SHELL Limitations kihtap Linux - Software 1 03-05-2005 06:00 AM
new user limitations Longinus Linux - Newbie 1 04-22-2004 04:02 AM
Setting up a new user ChaosZ3RO Slackware 2 12-23-2003 05:03 PM
Setting up User Quotas? Uncreative Slackware 3 05-11-2003 09:08 AM


All times are GMT -5. The time now is 05:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration