[SOLVED] File permissions & Group membership questions

taylorkh · 08-12-2015, 08:30 AM

It has been many years since I did any user administration and most of that was in Banyan Vines, Oracle, Windoze network and MVS. But I have done enough in Unix/Linux that I should know this (clutch slipping in brain perhaps :-) I am helping a friend to setup his home/family PC with Ubuntu Mate 15.04 and the basic idea is to keep the kids' accounts separated so that brother and sister cannot poke into each other's stuff and still to allow the parents access when necessary - ideally without resorting to root (pappa) permissions. My first attempt did not work as desired so I have fallen back to a test machine to do some development. Here is what I have:

User moe is the administrator - created during install. User larry is the next account created (using the Ubuntu Mate Users and Groups gui). I noticed that each use's default group - by the same name as the user - was empty. I noticed the same thing on my CentOS 6 machine so I guess this is "normal." In any event, I added users moe and larry to group larry.

I observe the following

Quote:

moe@vmStooges:/home$ ll /home
.
drwxr-xr-x 2 larry larry 4096 Aug 12 08:38 larry/

With these permissions any user can cd into larry's stuff. This is what I wish to prevent so I execute

Quote:

chmod 750 /home/larry

which results in the permissions

Quote:

drwxr-x--- 2 larry larry 4096 Aug 12 08:38 larry/

Group larry has read and execute permissions to /home/larry so that moe, being a member of group larry, should be able to cd into the directory. However,

Quote:

moe@vmStooges:/home$ cd larry/
bash: cd: larry/: Permission denied

I have confirmed the membership of the larry group

Quote:

moe@vmStooges:~$ cat /etc/group | grep larry
larry:x:1001:moe,larry

I am obviously missing something here. Often times I will discover the issue just by defining the question in a post. Not this time I am afraid

Help!

TIA,

Ken

p.s. I do not like the permissions scheme to which Ubuntu defaults so I guess I need to tweak the umask - but that will come after I have the above situation sorted.

HMW · 08-12-2015, 09:13 AM

Hmm... [scratches head], what are the permissions on /home? Should be:

Code:

drwxr-xr-x   4 root root  4096 jun  9 14:29 home

Also, could you post the output of:

Code:

$ groups moe

Best regards,
HMW

taylorkh · 08-12-2015, 09:29 AM

Thanks HMW. As requested

Quote:

drwxr-xr-x 4 root root 4096 Aug 12 08:38 home/

moe : moe adm cdrom sudo dip plugdev lpadmin sambashare larry

Permissions on /home look OK and moe is a member of group larry. It should not be this hard.

Ken

HMW · 08-12-2015, 01:01 PM

Quote:

Originally Posted by taylorkh

It should not be this hard.

No. It shouldn't.

I more or less copied your situation on my Manjaro machine:

Code:

$ ls -l /home
totalt 36
drwxrwx--T  3 root   ftpgroup  4096 04.04.2015 13:25 ftp/
drwxr-x---  5 larry  larry     4096 12.08.2015 19:47 larry/
drwx------  2 root   root     16384 01.03.2015 16:15 lost+found/
drwxr-x---  6 moe    moe       4096 12.08.2015 19:46 moe/
drwxrwx--t  3 root   users     4096 08.03.2015 19:40 usersdir/

I also added user moe to group larry with:

Code:

$ sudo usermod -a -G larry moe

And it looks as it should:

Code:

$ groups moe
larry moe

I can also cd into larry's home:

Code:

[moe@manjaro ~]$ cd /home/larry/
[moe@manjaro larry]$ ls
Larrys_home

But I cannot cd into larry's home with user franz:

Code:

[franz@manjaro ~]$ cd /home/larry/
bash: cd: /home/larry/: Permission denied

I have never added or deleted users with a GUI program, so I know nothing about that, nor have I much experience with Ubuntu as of late.

Perhaps the easiest would be to delete the users and start over. Because, as you wrote, it shouldn't be that hard!

Best regards,
HMW

taylorkh · 08-12-2015, 02:38 PM

Thanks again HMW!

My involvement in user admin was generally in BATCH mode. For example when we were taking a new version of a LARGE enterprise work management/supply chain suite live one weekend. Needed to remove from 5 - 10 profiles (permissions for the old version of the app) from about 2500 MVS/Top Secret user accounts and replace them with a similar number for the new version of the app. As I was supposed to do I gave the Help Desk/User Admin crew the first refusal on the job. They wanted 6 weeks to do it. I told them the project schedule had a 30 minute window for the removals at the start of the weekend and a 30 minute window at the end when we were ready to go live and let the users back in. What a bunch of crying and excuses by their management. Finally I got permission to do it.

I queried the security database, dumped the report to a data set, ftp(ex) it to my PC, parsed it with FoxPro (my favorite tool) and created two scripts of the profile by profile, user by user top secret commands to remove the old and add the new profiles. I ftp(ed) these back to the mainframe and notified my co-worker in the IT Security unit (who had permission to make the changes). At the appointed time he ran a script and accomplished the 6 weeks of User Admin work in less than a minute. After that if a change impacted more than a handful of users or profiles, User Admin would punt and pass the ticket to me

As to this three stooges issue... Let me cry creating the users and groups etc. manually. I will post my results - probably tomorrow.

Thanks again for all of your effort.

Ken

descendant_command · 08-12-2015, 02:55 PM

Has moe logged out and in since changing the groups?

taylorkh · 08-12-2015, 02:58 PM

I couldn't wait so I gave it a try. Here is the latest with my newly, manually created user curly

Quote:

root@vmStooges:/home/moe# ll /home/
total 20
drwxr-xr-x 5 root root 4096 Aug 12 15:43 ./
drwxr-xr-x 22 root root 4096 Aug 11 15:14 ../
drwxr-x--- 2 curly curly 4096 Aug 12 15:43 curly/
drwxr-x--- 15 larry larry 4096 Aug 12 08:50 larry/
drwxr-x--- 20 moe moe 4096 Aug 11 17:15 moe/

The group curly contains users curly and moe. curly by default and moe added manually.

Quote:

moe@vmStooges:/home$ groups moe
moe : moe adm cdrom sudo dip plugdev lpadmin sambashare larry curly

The issue persists

Quote:

moe@vmStooges:/home$ cd /home/curly/
bash: cd: /home/curly/: Permission denied

taylorkh · 08-12-2015, 03:07 PM

And for my next trick I added larry to group curly. larry CAN cd to /home/curly! It seems there is something "special" about the first account created on the machine during Ubuntu installation. I wish software vendors would not try to be helpful and simplify things

Let me look around and see if I can find anything unique about the first account. I seem to vaguely recall something weird about the first account created in XP. I would install with a dummy account, create my account and then delete the dummy. I do not remember the details.

taylorkh · 08-12-2015, 03:11 PM

Thanks descendant_command. Of course he has not. That would be too simple. Actually I might have shut down and restarted the virtual machine. Testing now...

That did the trick! With my newly created curly account and larry... I did a su larry which of course caused the latest group memberships to be read. I guess I can stick a fork in this one. It is time for dinner anyhow.

Thanks again to both of you for your input.

Ken