LinuxQuestions.org - Best way to manage groups

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Best way to manage groups (https://www.linuxquestions.org/questions/linux-security-4/best-way-to-manage-groups-590577/)

Best way to manage groups

This might seem basic, but I need some advice on managing user access in groups.

I want one user to be in a group that will have very limited access. I want another user to have some access but not be as restricted as the first. Here's what I mean:

UserA should have access to /multimedia, UserB should not.
I created a group called admin and put UserA in it. Permissions on /multimedia were dwrxr-xr-x, so UserA had access. But so did UserB.

When I change permission on /multimedia to dwrxr-x---, neither user has access. I did chown -R root:admin to /multimedia, but UserA is still denied access.

Any clues? Basically how to give UserA access to /multimedia but keep UserB totally out?

Thanks.

If I was you I'd double-check everything to make sure it's the way you picture it. I say this because, AFAICT from reading your post, what you are trying to do should work fine. I've even done the same thing just now on my box to show you that it works:

Code:

win32sux@candystore:/tmp$ sudo groupadd example

win32sux@candystore:/tmp$ sudo useradd -g example -s /bin/bash -m UserA

win32sux@candystore:/tmp$ mkdir /tmp/test

win32sux@candystore:/tmp$ sudo chown root:example /tmp/test

win32sux@candystore:/tmp$ sudo chmod 750 /tmp/test

win32sux@candystore:/tmp$ ls -l /tmp | grep test

drwxr-x--- 2 root  example  48 2007-10-09 13:09 test

win32sux@candystore:/tmp$ ls -l /tmp/test

ls: /tmp/test: Permission denied

win32sux@candystore:/tmp$ sudo su UserA

UserA@candystore:/tmp$ ls -l /tmp/test

total 0

UserA@candystore:/tmp$

I used a group called "example" since I already have one called "admin". I created "UserA" and put him in the example group. Then I gave the directory root:example ownership with mode 750. As you can see, since I (win32sux) am not a member of the group "example", I can't see the directory contents, but "UserA" can.

I kinda found the problem

Thanks for the quick reply.

I found out what the problem is. UserA is both a regular user and a Samba user. When UserA tries to access /multimedia in Linux, it works fine. When UserA tries to access /multimedia via a Windows machine, they're being told "You do not have permission".

I've looked into it and it's a little more complex. I may have to set up a Samba ACL to allow UserA access via Samba. As it is, they do have access at the command line.

Do you have any recommendations? I'll keep looking up Samba ACL's unless you have another suggestion.

Quote:

Originally Posted by kuriharu (Post 2918666)

Do you have any recommendations? I'll keep looking up Samba ACL's unless you have another suggestion.

I don't know enough about Samba to be of any help.

But surely someone who does will chime-in any moment now. Hang in there.

Have you added an entry in smb.conf for this user and directory?

Something like this would work:

# A private directory, usable only by UserA.
[some_share_name]
comment = Share Name
path = /multimedia
valid users = UserA
public = no
writable = no

restart smb after the change.

Autocross, that seemed to work. I added that line to each Samba share, and UserA does have access. UserB (who only has shell access) does not. This is just how I wanted it set up.

Thanks a lot!