Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I saw your last post, but didn't comment, so seeing your post again I will try to offer up some sort of help.
First, you didn't really say how these people are accessing your machine. It sounds like they are logging in at the terminal or via SSH. You also didn't say what kind of files are being stored here. Is this just a file repository and nothing else?? Like documents that would be shared between members of the groups? I'm not trying to be nosey, but if I knew what the objectives were, I may be able to better advise you on another setup you could be doing like setting up an FTP server, perhaps.
Here's one strategy you could use that may help, and I hope this serves all your needs...
You could create a directory called /home/team1. This will be owned by the leader of team1, which we'll say is "John" for now. chown john.team1 /home/team1. Now do a chmod 770 /home/team1 This should give the folder the following permissions: rwxrwx---.
So what does all this mean? Well, because "john" is the owner of the directory, he has full ability to do anything he wants with his directory, which is indicated by the first rwx in the permissions statement. Members of the group "team1" will have rwx permissions also, as indicated by the second set of rwx in the permissions statement.
So now you setup individual users like "billy" and make him a member of the "team1" group so that he has the ability to rwx to the folder. You can setup subsequent folders like "team2" and make them with the same ownership and permission scheme as above. If user "billy" tries to view the "team2" folder, he will be unsuccessful because the permissions on the "team2" folder that apply to him are the last group of permissions I'm showing above, which would be "---" which doesn't allow read, write or execute.
Now the one thing this scenario doesn't cover is the possibility of the "admins" being able to manipulate all the other team folders. So if the user "john" wanted to modify stuff in the "team2" folder, well... I don't really have a solution for that here, so maybe some other person will offer up an alternate suggestion.
Thanks for the reply I think I am getting somewhere, btw sorry should have explained myself a bit better - well it made sense in my head
A number of users would be logging into the server via ssh. They would have their own accounts to do pretty much what they want (within reason). So it might not just be a place to store files but also to do various other things. So this is what I was hoping to achieve, my logic could be flawed but this is my understanding so far.
user - "team_leader", home dir "/home/team_leader"
user - "bob", home dir "/home/bob"
user - "john", home dir "/home/john"
Now bob and john are both part of the same team and team_leader is their team leader What I was hoping to achieve is that team_leader would be able to access both bob's and john's home accounts and see all the files within those accounts, but bob and john would only have access to their own home directories (not even be able to see other ppl's files).
Now by talking to other ppl and from what you have said I have come up with the following config...
team_leader would own the "/home/team_leader" directory and the permissions to it would be drwx,---,---..
bob would be in the "bob" group, and so would team_leader. The permissions for /home/bob would be drwx,rwx,---.
john would be in the "john" group, and so would team_leader. The permissions for /home/john wuold be drwx,rwx,---.
Am i right in saything then that team_leader would have access bob and johns home directories, but bob and john would not be able to access each others? The only thing is that if the user sets the permission to a file in their home directory as rw-,---,--- then only they can modify it which is maybe a good thing but being the paranoid guy i am it could potentially be a bad thing.
Hope i've explained it a bit better this time round And once again thanks for the reply.
Last edited by statuszero; 07-16-2004 at 02:51 PM.
Am i right in saything then that team_leader would have access bob and johns home directories
Yep. Because he is a member of their group and would have rwx ability as indicated by the folder's "group" permissions.
but bob and john would not be able to access each others
Yep, because bob is not a member of the "john" group and vise versa. Also, they will not have access to the leader's stuff, becsause they are not a member of the "leader" group (or whatever you call it). You could very well have the leader "Mike" a member of the "Mike" group and nobody else.
The only thing is that if the user sets the permission to a file in their home directory as rw-,---,--- then only they can modify it which is maybe a good thing but being the paranoid guy i am it could potentially be a bad thing.
I recommend setting up some test scenarios on your machine. Set everything up like you've described and then play with all of this yourself. Have a couple of your users test it out. You may be surprised to find something you didn't expect. Have a "trial period" to be sure everything is as you planned before going "live" and bringing in a bunch of other users. It sucks having to change gears on people because something happened that you didn't anticipate.
Also, you may want to consider setting up your system to chroot people in SSH. If you don't they will have the ability to browse all around your machine, which may not be what you want.
I wish I could give you more info on this, but I'm still trying to figure it out myself. If you used an FTP server, you could more easily setup chrooted environments for each user. Running FTP, you don't have to worry about user bob being able to see user john's files, because you already said that wasn't required and the FTP server will seperate them easily.
You could setup FTP for the individual users and they can upload/download/modify stuff in each of their home direcories, and you could give the leader's SSH access and make them members of everyone's group like you said. This way, you cut down on the number of people tooling around your box, and you probably already trust your leaders enough.
Only downside is... your users are sending usernames/passwords in the clear using normal FTP, but I've never had a problem with this. I've got tons of users on cleartext FTP and have never been broken into. I think the concensus must be that because these are unprivlidged users, they don't have the rights to do very much on the system, so why break into thier accounts. THey have nothing worth stealing that a quick restore from backup couldn't fix.
Other users may disagree with me on these points, arguing that SSH is the only way to go, but these are just my views... do whatever you feel is best. After all, it's YOUR box.
Thanks, I think your right I just have to get started and play with it until it does what I want it to do. As long as my current thinking was right then i'm at least half way there. Thanks for the help!!