LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-09-2007, 01:00 PM   #1
tensigh
Member
 
Registered: Mar 2004
Location: Tokyo, Japan
Distribution: Backtrack 5 R3
Posts: 145

Rep: Reputation: 15
Best way to manage groups


This might seem basic, but I need some advice on managing user access in groups.

I want one user to be in a group that will have very limited access. I want another user to have some access but not be as restricted as the first. Here's what I mean:

UserA should have access to /multimedia, UserB should not.
I created a group called admin and put UserA in it. Permissions on /multimedia were dwrxr-xr-x, so UserA had access. But so did UserB.

When I change permission on /multimedia to dwrxr-x---, neither user has access. I did chown -R root:admin to /multimedia, but UserA is still denied access.

Any clues? Basically how to give UserA access to /multimedia but keep UserB totally out?

Thanks.
 
Old 10-09-2007, 01:26 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
If I was you I'd double-check everything to make sure it's the way you picture it. I say this because, AFAICT from reading your post, what you are trying to do should work fine. I've even done the same thing just now on my box to show you that it works:
Code:
win32sux@candystore:/tmp$ sudo groupadd example
win32sux@candystore:/tmp$ sudo useradd -g example -s /bin/bash -m UserA
win32sux@candystore:/tmp$ mkdir /tmp/test
win32sux@candystore:/tmp$ sudo chown root:example /tmp/test
win32sux@candystore:/tmp$ sudo chmod 750 /tmp/test
win32sux@candystore:/tmp$ ls -l /tmp | grep test
drwxr-x--- 2 root  example   48 2007-10-09 13:09 test
win32sux@candystore:/tmp$ ls -l /tmp/test
ls: /tmp/test: Permission denied
win32sux@candystore:/tmp$ sudo su UserA
UserA@candystore:/tmp$ ls -l /tmp/test
total 0
UserA@candystore:/tmp$
I used a group called "example" since I already have one called "admin". I created "UserA" and put him in the example group. Then I gave the directory root:example ownership with mode 750. As you can see, since I (win32sux) am not a member of the group "example", I can't see the directory contents, but "UserA" can.

Last edited by win32sux; 10-09-2007 at 01:31 PM.
 
Old 10-09-2007, 01:41 PM   #3
tensigh
Member
 
Registered: Mar 2004
Location: Tokyo, Japan
Distribution: Backtrack 5 R3
Posts: 145

Original Poster
Rep: Reputation: 15
I kinda found the problem

Thanks for the quick reply.

I found out what the problem is. UserA is both a regular user and a Samba user. When UserA tries to access /multimedia in Linux, it works fine. When UserA tries to access /multimedia via a Windows machine, they're being told "You do not have permission".

I've looked into it and it's a little more complex. I may have to set up a Samba ACL to allow UserA access via Samba. As it is, they do have access at the command line.

Do you have any recommendations? I'll keep looking up Samba ACL's unless you have another suggestion.
 
Old 10-09-2007, 01:45 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by kuriharu View Post
Do you have any recommendations? I'll keep looking up Samba ACL's unless you have another suggestion.
I don't know enough about Samba to be of any help.

But surely someone who does will chime-in any moment now. Hang in there.
 
Old 10-09-2007, 03:14 PM   #5
Autocross.US
LQ Newbie
 
Registered: Aug 2006
Location: Chesapeake, VA
Distribution: Solaris, HP-UX, RedHat, Fedora
Posts: 15

Rep: Reputation: 0
Have you added an entry in smb.conf for this user and directory?

Something like this would work:


# A private directory, usable only by UserA.
[some_share_name]
comment = Share Name
path = /multimedia
valid users = UserA
public = no
writable = no

restart smb after the change.
 
Old 10-09-2007, 04:16 PM   #6
tensigh
Member
 
Registered: Mar 2004
Location: Tokyo, Japan
Distribution: Backtrack 5 R3
Posts: 145

Original Poster
Rep: Reputation: 15
That Worked!

Autocross, that seemed to work. I added that line to each Samba share, and UserA does have access. UserB (who only has shell access) does not. This is just how I wanted it set up.

Thanks a lot!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
groups (system default groups) Xavius Linux - General 2 07-18-2012 02:50 AM
Map Windows NT Groups to UNIX Groups - why? kenji1903 Linux - Networking 4 10-16-2007 11:52 AM
limit to nesting groups within groups? geekgrl Linux - General 3 10-16-2007 11:50 AM
What we have to do to manage users/groups Khmer Linux - Security 2 08-13-2005 08:35 AM
winbind: wbinfo -g only lists global groups from PDC and not local groups saradiya Linux - Networking 0 12-01-2003 02:58 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration