LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Ubuntu (http://www.linuxquestions.org/questions/ubuntu-63/)
-   -   Permission question (http://www.linuxquestions.org/questions/ubuntu-63/permission-question-4175443319/)

satimis 12-28-2012 09:24 PM

Permission question
 
Hi all,

Ubuntu 12.04 desktop 64bit

I have /data partition created for keeping data including VMs of Oracle VirtualBox. /data is owned by root. How to allow users to run VMs?

1)
Whether

Give rwx permission to the users of the group
$ sudo chmod go+rwx -R /data

$ cat /etc/group | grep data
www-data:x:33:

Add users allowed to group
Code:

www-data:x:33:userA userB userC etc

2)
How to allow userA userB userC etc running the VM owned by them only?

Now;
$ ls -al /data/VirtualBox\ VMs/
Code:

total 12
drwxrwxr-x 3 satimis satimis 4096 Dec 29 00:49 .
drwxr-xr-x 7 satimis satimis 4096 Dec 29 00:48 ..
drwx------ 3 satimis satimis 4096 Dec 29 00:52 cloudera
drwx------ 2 satimis satimis 4096 Dec 29 10:50 deb600dk00
etc.

satimis is the Administrator
e.g.
userA owns cloudera
userB owns deb600dk00

3)
How to allow other users, say userX userY userZ, to save/read/write their own files on /data NOT /home of Ubuntu?

TIA


Regards
satimis

SaintDanBert 12-29-2012 04:54 PM

Read the man-page on 'chmod' and make sure that you understand how folders (directories) treat the executable "X" permission. It is different from how files treat it.

You don't say, but imply that /data is a mount point for a file system. Mount points are folders that have permissions. Once the file system is mounted, there are other permissions that take effect. Read the man-page on 'mount' and make sure that you understand how mount-point permissions work.

With all of that background, consider creating a 'group' that is specific to your VM activities.
For example, I might use a group name of "vmuser" or "vmdata". Add this group to users who will make routine use of your VMs. Set the ownership of your file system to use this "vmuser" or "vmdata" group ID using chown ... root:vmdata /data or similar. With a little more effort, you could use chown ... vmuser:vmdata /data. NOTE -- This is a similar approach to what happens with a web server or database server. Those apps get their own user+group for administration.

I hope this helps. I'll be here if there are more questions.
~~~ 0;-Dan

satimis 12-30-2012 03:17 AM

Quote:

Originally Posted by SaintDanBert (Post 4859218)
Read the man-page on 'chmod' and make sure that you understand how folders (directories) treat the executable "X" permission. It is different from how files treat it.

You don't say, but imply that /data is a mount point for a file system. Mount points are folders that have permissions. Once the file system is mounted, there are other permissions that take effect. Read the man-page on 'mount' and make sure that you understand how mount-point permissions work.

With all of that background, consider creating a 'group' that is specific to your VM activities.
For example, I might use a group name of "vmuser" or "vmdata". Add this group to users who will make routine use of your VMs. Set the ownership of your file system to use this "vmuser" or "vmdata" group ID using chown ... root:vmdata /data or similar. With a little more effort, you could use chown ... vmuser:vmdata /data. NOTE -- This is a similar approach to what happens with a web server or database server. Those apps get their own user+group for administration.

Hi Dan,

Thanks for your advice.

/data is the partition created duing installation of Ubuntu 12.04. It is automatically mounted on booting and owned by root. I don't expect changing its ownership because there are data other than VMs stored on this partition.

What I expect to achieve after migrating the VMs from the OLD HD to the NEW HD are as follows;
1) When the users login their accounts on the PC and starting VirtualBox, they can only view their own VMs
2) Administrator can view all VMs after starting VirtualBox

Regards
satimis

SaintDanBert 12-30-2012 11:36 AM

Quote:

Originally Posted by satimis (Post 4859366)
...
/data is the partition created duing installation of Ubuntu 12.04. It is automatically mounted on booting and owned by root. I don't expect changing its ownership because there are data other than VMs stored on this partition.

What I expect to achieve after migrating the VMs from the OLD HD to the NEW HD are as follows;
1) When the users login their accounts on the PC and starting VirtualBox, they can only view their own VMs
2) Administrator can view all VMs after starting VirtualBox
...

I routinely create a group and change partition mount point and file system ownership to use the new GID. I can then assign users to that group (in addition to whatever else they might do) and set permissions 'g=rwx' on folders with 'g=rw-' on files. Only members of that group can then access that stuff. In your case, users would require g=vmdata for any sort of access to the files system.

Linux also supports access control lists (ACLs) for another layer of access management.
There are two articles:That will get you started with ACLs. If you are serious about fine control of access to your folders and files, consider ACLs. They require thought and work to setup but they they pay off quite well in most cases.

Keep us posted,
~~~ 0;-Dan

satimis 12-31-2012 07:37 PM

Hi Dan

Although /data is owned by root users can rw their folders/directories created on this partition for them.

Performed following steps


1)
login administrator, satimis

(remark: I can't create folders/directoris direct on VirtualBox :- Preference -> General -> Default Machine Folder
because /data is owned by root)

On terminal:-
$ sudo mkdir -p /data/VirtualBox/satimis

$ ls -ald /data/
drwxr-xr-x 8 root root 4096 Dec 31 22:34 /data/

$ ls -ald /data/VirtualBox
drwxr-xr-x 3 root root 4096 Dec 31 22:34 /data/VirtualBox

$ ls -ald /data/VirtualBox/satimis/
drwxr-xr-x 2 root root 4096 Dec 31 22:34 /data/VirtualBox/satimis/

$ cd /data/
$ sudo chown -R satimis:satimis VirtualBox

import VM.voa is without problem. All VMs imported work after changing network.


2)
login as userA and create /data/VirtualBox/userA

But I'm not allowed to import its VMs because /VirtualBox is owned by administrator disregarding /userA is owned by userA

Any suggestion. TIA

satimis

SaintDanBert 01-01-2013 10:43 AM

I'm feeling that this is not "permissions" but VM issue. Let's try to separate things:
Try this:
  • login as root sudo -i
  • make a top-level folder somewhere mkdir --verbose /folder
  • set its ownership chown --recursive --verbose user:group /folder
  • set its permissions chmod --recursive --verbose perms /folder
  • test to discover who can create, edit, delete folders and files
  • mount a file system onto your folder mount --types fstype --verbose device /folder
  • test to discover who can create, edit, delete folders and files
(I like to use --verbose for this sort of work so that I get more details to help diagnose whatever happens.)

I hope that this helps,
~~~ 0;-Dan

satimis 01-01-2013 08:30 PM

Quote:

Originally Posted by SaintDanBert (Post 4860682)
I'm feeling that this is not "permissions" but VM issue.

According to the reply responding my posting on virtualbox forum;
Code:

Obviously, you will need to deal appropratly with file permissions and the like. Virtualbox will still run like any other programs using files, and the same concerns apply. This is basic Linux administration level.
Performed following step;

$ sudo -i
[sudo] password for satimis:
# mkdir --verbose /folder
Code:

mkdir: created directory `/folder'
# ls -ald /folder
Code:

drwxr-xr-x 2 root root 4096 Jan  2 10:11 /folder
Re
Quote:

set its ownership chown --recursive --verbose user:group /folder
I'll use "userA" for "user". What shall I replace with "group"?

VirtualBox uses "vboxusers" as group. Thanks

Regards
satimis

SaintDanBert 01-02-2013 06:11 PM

You can use whatever you like as a group name string. "groupA" matches "userA" but "framis" or "berful" or "xyzzy" work just as well.


All times are GMT -5. The time now is 07:53 AM.