Group and chmod questions

wolfsden3 · 09-22-2013, 04:13 PM

I'm stumped, long time linux user but now I need to restrict some users but it doesn't seem to be working. What I want is all users to be able to navigate to the top tier folder "folder1" folder then navigate ONLY to the folder they're a member of in subfolders.

Folder1 = top level folder, Groups and users:

folder1=root:group_users
group_users=user1,2,3,usera,b,c
group1=user1, usera,userb,userc
group2=user2, usera,userb,userc
group3=user3, usera,userb,userc

foldera=user1:group1 <-- user1,usera,b,and c = access (user2,3 = denied)
folderb=user2:group2 <-- user2,usera,b,and c = access (user1,3 = denied)
folderc=user3:group3 <-- user3,usera,b,and c = access (user2,1 = denied)

folder1 <-- root:group_users, perms:770 <-- root and everyone in group_users = rwxrwx---
--foldera <-- user1:group1, perms 770 <-- user1 and group1 = rwxrwx---
--folderb <-- user2:group2, perms 770 <-- user2 and group2 = rwxrwx---
--folderc <-- user3:group3, perms 770 <-- user3 and group3 = rwxrwx---

Logically it makes sense to me but the root folder in this case seems to be pushing perms down so everyone can rwx to all subfolders of folder1 even though there are more restrictive permissions in those subfolders.

What I'm trying to accomplish is everyone having access to folder1 to rw (I'll worry about x later...what is that a "4" in chmod?)...but all I want users to do is be able to navigate to the top level folder, then in the sub folders of folder1 ONLY should they be able to access the folders their a group member off. In my example there are 3 users who have access to all folders but each individual user, user1, 2 and 3 can ONLY access their folders respectively. usera,b,c can get into all of them because they're a group member of each.

As it stands right now though, user1,2,3 can get into each others folders and are not being denied access.

What am I doing wrong or am I thinking about permissions incorrectly?

I'm stumped

Hope all that makes sense.

rtmistler · 09-23-2013, 02:12 PM

Seems to complicated to me. Can't the users all be in the same group? Top level is 755, each sub would then be 700. The group and world cannot view the contents of the directory because you need execute permissions to list and therefore view files in a directory which you are not the owner for.

Example all done with the same user by the way, rules still apply:

Code:

me@me-desktop:~/t$ ls
me@me-desktop:~/t$ mkdir temp
me@me-desktop:~/t$ ls
temp
me@me-desktop:~/t$ ls -l
total 4
drwxr-xr-x 2 me me 4096 2013-09-23 15:06 temp
me@me-desktop:~/t$ cd temp
me@me-desktop:~/t/temp$ echo 1 > a.txt
me@me-desktop:~/t/temp$ cat a.txt 
1
me@me-desktop:~/t/temp$ cd ..
me@me-desktop:~/t$ ls -l
total 4
drwxr-xr-x 2 me me 4096 2013-09-23 15:07 temp
me@me-desktop:~/t$ chmod 000 temp
me@me-desktop:~/t$ ls
temp
me@me-desktop:~/t$ ls temp
ls: cannot open directory temp: Permission denied
me@me-desktop:~/t$ cd temp
bash: cd: temp: Permission denied
me@me-desktop:~/t$ chmod 755 temp
me@me-desktop:~/t$ ls temp
a.txt
me@me-desktop:~/t$ cd temp
me@me-desktop:~/t/temp$ ls
a.txt
me@me-desktop:~/t/temp$

wolfsden3 · 09-23-2013, 09:09 PM

Thanks for the reply.

It can't be done with users in the same group.

The scheme is, for all users to be able to see the root folder but then sub folders belong to individual users. Each user folder is separate, NO users can see other users folder conents. Now, there's one exception - that's the group. There's one group with a different set of users in it (don't include the users of each subfolder). Those users are like management users, so the users in the group can read everone's stuff BUT each users of that folder can't read their stuff.

group_users = management
users = users and separate from each other and everyone

Example:
group1=mamma,pappa,baby

folder1 - jill:group1 <-- Jill and group 1 = access, jack, bear = denied
folder2 - jack:group1 <-- jack and group 1 = access, jill, bear = denied
folder3 - bear:group1 <-- bear and group 1 = access, jill, jack = denied

That's what I'm trying to accomplish, having individual folders without inheriting the root folder permissions down to the subfolders (because this is what seeminly happens) and restricing users folders to the users themselves plus the management group which is able to see everything from all users.

Hope that makes more sense.

rknichols · 09-24-2013, 10:24 AM

It is not apparent from your description why this isn't working. It would help if you would post the actual output from "ls -ld" for the directories and the outputs from "su - user1 -c id" for some of the user names rather than your interpretation of how you have things set up.

Also, the word "inherit" is generally used to describe the properties that are set at the time something is created, and I don't think that is what you mean here.

One final thought -- this is on a filesystem that supports full Unix-style permissions, right?

SAbhi · 09-24-2013, 10:49 AM

acl may help better if you are confused with groups however there is nothing to be confused off, but the data you posted is really messy. cant you post some real data here so that we can actually try to figure out whats happening ...

chrism01 · 10-03-2013, 08:34 PM

As above, the description is a tad confusing ...

However, I believe that what you need is solvable with group owner/perms & ACLs.

Assuming this is what you want

Code:

group_users = management
users = users and separate from each other and everyone

Example:
group1=mamma,pappa,baby

folder1 - jill:group1 <-- Jill and group 1 = access, jack, bear = denied
folder2 - jack:group1 <-- jack and group 1 = access, jill, bear = denied
folder3 - bear:group1 <-- bear and group 1 = access, jill, jack = denied

then it should just work if you add ACLs for the mgrs (use default acl option if dirs are nested deeper than shown eg dir1/dir1a/dir1b ...)

Its not clear if you want all mgrs to see all dirs or if jill/jack/bear are the mgrs and only need to see the dirs they own.
In any case, you'll want chmod g+s on the dirs.