Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm stumped, long time linux user but now I need to restrict some users but it doesn't seem to be working. What I want is all users to be able to navigate to the top tier folder "folder1" folder then navigate ONLY to the folder they're a member of in subfolders.
foldera=user1:group1 <-- user1,usera,b,and c = access (user2,3 = denied) folderb=user2:group2 <-- user2,usera,b,and c = access (user1,3 = denied) folderc=user3:group3 <-- user3,usera,b,and c = access (user2,1 = denied)
folder1 <-- root:group_users, perms:770 <-- root and everyone in group_users = rwxrwx---
--foldera <-- user1:group1, perms 770 <-- user1 and group1 = rwxrwx---
--folderb <-- user2:group2, perms 770 <-- user2 and group2 = rwxrwx---
--folderc <-- user3:group3, perms 770 <-- user3 and group3 = rwxrwx---
Logically it makes sense to me but the root folder in this case seems to be pushing perms down so everyone can rwx to all subfolders of folder1 even though there are more restrictive permissions in those subfolders.
What I'm trying to accomplish is everyone having access to folder1 to rw (I'll worry about x later...what is that a "4" in chmod?)...but all I want users to do is be able to navigate to the top level folder, then in the sub folders of folder1 ONLY should they be able to access the folders their a group member off. In my example there are 3 users who have access to all folders but each individual user, user1, 2 and 3 can ONLY access their folders respectively. usera,b,c can get into all of them because they're a group member of each.
As it stands right now though, user1,2,3 can get into each others folders and are not being denied access.
What am I doing wrong or am I thinking about permissions incorrectly?
I'm stumped
Hope all that makes sense.
Last edited by wolfsden3; 09-22-2013 at 04:25 PM.
Reason: Had my final foldera,user1:group1 - example all messed up, hard seeing it in html,
Seems to complicated to me. Can't the users all be in the same group? Top level is 755, each sub would then be 700. The group and world cannot view the contents of the directory because you need execute permissions to list and therefore view files in a directory which you are not the owner for.
Example all done with the same user by the way, rules still apply:
Code:
me@me-desktop:~/t$ ls
me@me-desktop:~/t$ mkdir temp
me@me-desktop:~/t$ ls
temp
me@me-desktop:~/t$ ls -l
total 4
drwxr-xr-x 2 me me 4096 2013-09-23 15:06 temp
me@me-desktop:~/t$ cd temp
me@me-desktop:~/t/temp$ echo 1 > a.txt
me@me-desktop:~/t/temp$ cat a.txt
1
me@me-desktop:~/t/temp$ cd ..
me@me-desktop:~/t$ ls -l
total 4
drwxr-xr-x 2 me me 4096 2013-09-23 15:07 temp
me@me-desktop:~/t$ chmod 000 temp
me@me-desktop:~/t$ ls
temp
me@me-desktop:~/t$ ls temp
ls: cannot open directory temp: Permission denied
me@me-desktop:~/t$ cd temp
bash: cd: temp: Permission denied
me@me-desktop:~/t$ chmod 755 temp
me@me-desktop:~/t$ ls temp
a.txt
me@me-desktop:~/t$ cd temp
me@me-desktop:~/t/temp$ ls
a.txt
me@me-desktop:~/t/temp$
The scheme is, for all users to be able to see the root folder but then sub folders belong to individual users. Each user folder is separate, NO users can see other users folder conents. Now, there's one exception - that's the group. There's one group with a different set of users in it (don't include the users of each subfolder). Those users are like management users, so the users in the group can read everone's stuff BUT each users of that folder can't read their stuff.
group_users = management
users = users and separate from each other and everyone
Example:
group1=mamma,pappa,baby
folder1 - jill:group1 <-- Jill and group 1 = access, jack, bear = denied
folder2 - jack:group1 <-- jack and group 1 = access, jill, bear = denied
folder3 - bear:group1 <-- bear and group 1 = access, jill, jack = denied
That's what I'm trying to accomplish, having individual folders without inheriting the root folder permissions down to the subfolders (because this is what seeminly happens) and restricing users folders to the users themselves plus the management group which is able to see everything from all users.
Hope that makes more sense.
Last edited by wolfsden3; 09-23-2013 at 09:13 PM.
Reason: Added explanation and fixed spelling
It is not apparent from your description why this isn't working. It would help if you would post the actual output from "ls -ld" for the directories and the outputs from "su - user1 -c id" for some of the user names rather than your interpretation of how you have things set up.
Also, the word "inherit" is generally used to describe the properties that are set at the time something is created, and I don't think that is what you mean here.
One final thought -- this is on a filesystem that supports full Unix-style permissions, right?
acl may help better if you are confused with groups however there is nothing to be confused off, but the data you posted is really messy. cant you post some real data here so that we can actually try to figure out whats happening ...
However, I believe that what you need is solvable with group owner/perms & ACLs.
Assuming this is what you want
Code:
group_users = management
users = users and separate from each other and everyone
Example:
group1=mamma,pappa,baby
folder1 - jill:group1 <-- Jill and group 1 = access, jack, bear = denied
folder2 - jack:group1 <-- jack and group 1 = access, jill, bear = denied
folder3 - bear:group1 <-- bear and group 1 = access, jill, jack = denied
then it should just work if you add ACLs for the mgrs (use default acl option if dirs are nested deeper than shown eg dir1/dir1a/dir1b ...)
Its not clear if you want all mgrs to see all dirs or if jill/jack/bear are the mgrs and only need to see the dirs they own.
In any case, you'll want chmod g+s on the dirs.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.