Sub Permissions/Access
 

Ok,

This may be a dumb question, and I could probably google the answer, but I figured you guys may be able to help me a bit faster.


I have a project at work were we are migrating countries from virtual servers to cloud servers. So far so good. No issues. Last week I was tasked with moving a country that was not so straight forward.


The issue is this:

we hold our user files in a custom directory lets call it "/x/yx/country"

Under that directory are the users home directories "Normally". With their ownership set to

"user:country"


However on this country there are sub cites listed under "/x/yx/" so for example there are directories called Houston, Clear Lake, Dallas etc. etc to designate which city the users are working out of. So if I go to /x/yx/Dallas I then see the user home directories for that city.


The problem is my users cant login due to permission denied on the .bash_profile and on their home directories themselves.

On the new server I created a group for the country, but I can seem to figure out the permissions for the sub cites.

in /etc/group I made the following


USA:x:111222: Houston, Clear Lake, Dallas

Thinking that would allow those cites to have access to that country. I was wrong.


I'm not sure if this makes senses at all, but any help would be appreciated.

Is "Houston" a group, a user, or just a directory in /x/yx/?
What is the primary group for a user, let's call him "Frank", located in Houston?

The reason I ask, is it sounded like the cities are just directories at first, but then you said that you added this to /etc/group:
USA:x:111222: Houston, Clear Lake, Dallas

But that wouldn't make any sense unless "Houston", "Clear Lake", and "Dallas" are users. /etc/group describes which users are members of each group. USA is the group, so what are Houston, Dallas, etc. doing there? What are they?

Houston is a group. I'm sorry for the bad explication. I'm trying to word it without making a security risk lol.

The primary group for the user Frank would be Houston. That is how it is set up on the old server. But on the cloud server my boss wants it to be /x/xy/USA/Houston/Frank.

So to clarify on the orginial server the location is /x/xy/Houston/Frank

On the new server it is /x/xy/USA/Houston/Frank.

So it sounds like Frank needs to be a member of both the Houston and USA groups, the /x/xy/USA directory should belong to the USA group, and the /x/xy/USA/Houston directory should belong to the Houston group. The confusion came from your /etc/group line, it appears as though you were trying to add a group (Houston) to another group (USA). Groups can't be members of other groups, but your users can be members of both the Houston and USA groups.

that makes sense. Is there a way to grant access to Frank without punching him into the /etc/group file? The issue comes that I have 100+ users migrating and I cant add them all to /etc/group.

So i just added Frank to USA and Houston, and i still got permission denied errors when trying to su over to him. Only after I blew up the permissions to 777 on /USA/Houston/Frank could I get it to login.


I should also add that our users dont get a command prompt when they login. They get a custom in house menu....I dont know why, but they do.

ok I got it.

I had to change the permission on the /USA directory to 775, changed the city permissions to 765, and user permission to 774. This allows for the users to login and see their custom menu.

For ownership "we use a power user and admin group for country directories"

For USA chown poweruser:USA

for Houston chown poweruser:admingroup

for Users chown user:Houston


This may not be the best way to accomplish this, but we also have users that utlize Winscp to transfer files, and these permissions keep them inside their groups/home directories.

Why not? You aren't trying to edit /etc/group by hand or something, are you? Just stick gpasswd in a for loop over user name and you'll have them all in the group in a matter of seconds.


Those permissions and ownership are very non-standard and horribly insecure. Is there a reason that EVERY user needs read access to EVERY OTHER user's home directory, or that every user has read/write access to the home directory of every other user in their region??? What purpose does that serve? Why wouldn't you just lock down every home directory to 700, and set up a neutral 3rd party directory with the necessary permissions for group collaboration? Sharing home directories between users gets very ugly very fast.

If I set the user accounts to any other permission setting they cant login. Yes it is very non standard, because we have a very non standard shop. None of our Linux users use Linux in a traditional way. When they log in they do not get a command prompt. They get a custom menu to do their work. Like a an old school GUI. At no point do our users have access to anything we do not want them too. So dont freak on the permissions. Another reason they are set that is due to my company trying to use old insecure FTP to transfer files from linux to windows. So to remedy that I set them up with WinSCP. Again these permissions are the only way "that I could find" that would log the users into only their home directory once they get in via WinSCP. From there they can back out to other directories but they can not access anyone's files except their own.

I know this sounds crazy, and that is because it is. My company is in the dark ages right now, and I'm trying to get them to move forward. Its a process.


""Why not? You aren't trying to edit /etc/group by hand or something, are you? Just stick gpasswd in a for loop over user name and you'll have them all in the group in a matter of seconds.""


Because I dont have to. Its one of those things that if I do not have to do it, then why would i bother.