User Accounts
Now that I have password protected the bios, changed the bios settings so the PC will not boot from anything except the master hdd, padlocked the case so the bios cannot be reset by changing the jumper, changed the bios settings to alert me if the case has been tampered with, and installed debian on an encrypted file system.
How do I setup a multi user machine where each users files, folders, program settings, and temporary files are protected, hidden, and locked from the other users? |
Maybe you should also lock it in a concrete vault guarded by 5 hungry dogs.....;)
Seriously, go into a terminal, su to root, and enter "adduser". The default creation of a new user will do most of what you want. I think the only thing you might need to change is the permissions. Do this in /home, using chmod -R <flags> username. This changes the permissions for the "username" directory and everything inside. |
this is a default of a normal linux environment. one user would not be able to see another users /home/username/ directory.
|
Make sure their umask setting masks out the permissions of others. I don't know if the /tmp/kde-<username>/ directory will be private otherwise. Usa a umask command in the default /etc/profile file.
|
Quote:
Might need to think about implementing that mission impossible environment, only without the hatch in the ceiling... |
Quote:
|
Quote:
|
OpenSuSE uses the "users" group as the default group for new users. That is the first thing I fix, even though I'm the only user! It's the principle. You are still using the basic owner/group/permissions model however.
|
Why am I able to see the other users folder and why am I able to click through the other users folders and even open the users files?
http://img266.imageshack.us/img266/5...eenshothw0.png What I cannot do is edit anything. This is not good default behavior. |
What are the user's permissions in /home? Look at "ls -ld /home/*".
Make sure that the group owner is unique. Make sure that the other's permissions on the directories in home don't allow any access. You picture only shows the home directories for the two users. It doesn't show you entering them. Seeing the users home directories in /home is normal. |
Quote:
chmod -R 0711 /home user@debian:~$ su Password: debian:/home/user# ls -ld /home/* drwx--x--x 20 user user 4096 2008-12-17 20:03 /home/user drwx--x--x 11 user2 user2 4096 2008-12-17 19:56 /home/user2 debian:/home/user# Is that the best way? |
Quote:
|
Quote:
d <- Directory rwx <- Read Write eXecute for User --x <- eXecute for Group --x <- eXecute for Everyone For directory purposes read means being able to list contents, write means delete and create new contents, and execute means you can make the directory your current working directory. For file purposes read means being able to view the contents of the file, write means being able to change the contents of the file, and execute means being able to run the file (binary or script). There are also special permissions you can set additionally, but we'll avoid those for the moment being as they're not presently relevant. For the purposes of what you're looking to do you pretty much want any personally owned directories to be permissions 700 and shared directories (that they don't need to be able to list the contents of) to be 711. For file permissions you're pretty much looking at a unilateral 600. Things won't get real tricky till you attempt to deal with /tmp. Try this: chmod 700 /home/user /home/user2 Permissions for files and folders work slightly differently. If you wish to make it so users can't see the home directories you'll have to deny them the ability to get a directory listing for the /home directory or chroot them into their home directory. chmod 711 /home Will remove the users ability to get a directory list in /home but still be able to access content under their own directory. Of course, if you are logged in as root or a given program is functioning as root you more or a less can do anything you please. Putting a restrictive umask will be necessary if you want to keep things remaining relative private. It looks like you're using umask 066, you want to use umask 077 most likely. Code:
me@here$ umask 066 && mkdir foo && touch bar |
you need to set
chmod 755 /home please post the output of ls -ltr /home instead of gui so that its easier to see the permissions of default user home directories and see user and their groups. all users home directory must be 700 |
So if I do
umask 0700, will that fix things for when I create further new users? i.e. prevent others from seeing there folders? |
umask usually subtracts like 0700 from 0777 = 0077
other than owner, "group and others can access" |
This is confusing.
I want the users to have secure files and folders which no one else can get too. umask 077? |
Quote:
You should probably also chmod /home to 711 to prevent directory listings there. Quote:
|
Quote:
|
Quote:
|
Quote:
755 = drwxr-xr-x 711 = drwx--x--x 755 means: Owner - List, Create+Delete, Make Working Directory Group - List, Make Working Directory Everyone - List, Make Working Directory 711 means: Owner - List, Create+Delete, Make Working Directory Group - Make Working Directory Everyone - Make Working Directory Being able to change to a directory doesn't necessarily imply the need to be able to list the contents of the directory. The normal permission for the home directory are 755. However, if you want to prevent your users from being able to see the contents of the home directory you can change that to 751 (if some groups need to be able to see the contents) or 711 (if no one but the owner of the directory needs to see the contents.) |
thanks :) :)
|
Something is not right. I did the above and I got this?
Quote:
What is that? |
I think
chmod -R 0700 /home/ is better. It gives me linux:/home/user# ls -ld /home/* drwx------ 12 user user 4096 2008-12-17 21:42 /home/user drwx------ 2 user2 user2 4096 2008-12-17 21:35 /home/user2 drwx------ 2 user3 user3 4096 2008-12-17 21:36 /home/user3 drwx------ 2 user4 user4 4096 2008-12-17 21:44 /home/user4 drwx------ 2 user5 user5 4096 2008-12-17 21:48 /home/user5 linux:/home/user# ls -ld /home/user/* drwx------ 2 user user 4096 2008-12-17 21:34 /home/user/Desktop -rwx------ 1 user user 0 2008-12-17 21:41 /home/user/new file -rwx------ 1 user user 0 2008-12-17 21:42 /home/user/new file 1 -rwx------ 1 user user 0 2008-12-17 21:58 /home/user/new file 2 drwx------ 2 user user 4096 2008-12-17 21:40 /home/user/untitled folder drwx------ 2 user user 4096 2008-12-17 21:58 /home/user/untitled folder 1 linux:/home/user# Which umask value do I need to get all further new users accounts to be created with the same permissions and all new files and folders to be created with the same permissions? |
Hya,
It is not my intention, if anybody thinks I am hijacking. The original post mentions also. How to take care of files under /tmp? Most of the programs are careful enough, but not all. Also, the names there may be indicative of something. Happy Penguins! |
Quote:
|
Quote:
If the actual /home directory itself is 700 your users won't be able to access their own home directories. You also don't want to set execute bit on things that don't need it... so doing a recursive chmod may not be the best idea. Let me demonstrate: Code:
here:/home# ls -al Quote:
Directories (700): rwx for owner, nothing for group, nothing for everyone else. Files (600): rw for owner nothing for group, nothing for everyone else. The short version: Set a system wide umask in /etc/login.defs /etc/profile /etc/bash.bashrc or whatever your system supports. I would suggest also setting it in roots .bashrc or whatever rc file is used for your login shell. I would say your current default is set to 066 based on the home directories, but it should be 077. Then to fix your existing permissions ... chmod 711 /home chmod 700 /home/user1 /home/user2 /home/user3 /home/user4 /home/user5 As long as the umask is in your system profile then all newly created users will be made with 700 directories and 600 files. Recursive chmod can be problematic... be very very careful with anything recursive. Personally, I prefer being able to select more accurately the files I want when chmoding recursively than chmod itself will allow, so typically I do something like this if I need a recursive change... find /home/user1 -type d -exec chmod 700 {} \; find /home/user1 -type f -exec chmod 600 {} \; |
I've changed umash to 077 in many files, but it is still being overwritten by the default 022. I can't figure out which file is doing the overwriting.
|
Quote:
Shrug. |
Quote:
Code:
cd /etc Might also want to make changes to umask in /etc/skel/.* files also if any of them are setting it (so newly created users get the correct umask set by default.) This thread is also going on over on the Debian boards, there's some relevant info there that hasn't been posted here yet. http://forums.debian.net/viewtopic.php?p=195859 |
I ran for following after su'ing into root:
grep -i "umask" /etc/* and grep -i "umask" ~/.* and found that there were umask entries in the following files /etc/profile ~/.bashrc I changed the umask entry in /etc/profile from 022 to 077 and commented out the umask entry in ~/.bashrc Because of the current bug, I added umask 002 to /etc/gdm/Xsession After restarted the system, I logged in as a standard user, created a file, checked the permissions and the permissions are set to -rw-rw-r-- What have I missed out? |
Nevermind, got it working by changing 002 to 077 in /etc/gdm/Xsession.
|
Quote:
For what you described umask should be 077 *everywhere* including the /etc/profile, /etc/login.defs, /etc/skel/.bashrc, /root/.bashrc, /etc/gdm/Xsession, etc. The less programs that can weasel around the umask the better. Someone else mentioned /etc/adduser.conf DIR MODE and it should be 700. etc... anywhere you can find to set it... set it. Quote:
|
Quote:
grep -i "umask" /etc/* will only look in the folder /etc/ and grep -i "umask" ~/.* will only look into my home folder. |
Quote:
Code:
grep -iRI "umask" /etc/* | grep -v "/etc/rc[0-9S].d" Most of the /etc/rcX.d stuff can be safely ignored also. |
All times are GMT -5. The time now is 06:26 PM. |