I want to add a user who can only execute a few commands and nothing else, at the same time I have created a shared folder (group) where my files are present. I want the user to only execute the files in the shared folder and restrict him from reading it or opening it and so on.
These are the set of commands I am using to create a restricted user. After these commands I am changing the PATH in the .bash_profile file to $HOME/commands directory.
This is how it looked when I login from the user account
I have added the user to the group using this command: sudo usermod -a -G bbc testuser
Now when I change the home directory to the shared file group using usermod --home /path/to/new/directory testuser, it shows like this when I login through the new user
This has no restriction on the commands being used, although ls and cd commands wont run other commands like nano to see the file content works. I want to restrict this as well
So after this If I try to import a python file in the new user it says 'module not found', this same command works in the ec2-user or root user.
Please help me solve this issue.
Thank you
Related
I am the sudo user (main_user) of my server (redhat8) and have many user accounts (user1, user2,....).
I can run installed application in server using main_user account but the other users are not able to execute the program or run the application.
** I have installed the applications/programs from main_user account which is not a root user but having sudo previlages.
What can be done to make the application and programs available to other users as well.
What I tried:
I have made alias in both ./bashrc and profile.d/all_user.sh, and source them but no luck.
You can implement sudo. First in /etc/sudoers file add line like:
user1,user2,user2 ALL=/path/to/the/program
If the users above are in specific group you can add something like:
%usergroup ALL=/path/to/the/program
And run the program like:
sudo -u main_user /path/to/the/program
I would like to create some users on my ubuntu server. I only want to let the users have read/write access to their home directories, and not be able to read or write to any other user's home directory. Does anyone have a suggestion how to do this? Like is there a way to create a group that has these permissions and then add all the users to the group? Or do I need to create each user, and just grant them only read/write permission on their home directory? I'm new to ubuntu server and when I create a new user, it seems to have all the same permissions that my account does.
First, this question is better suited for Ask Ubuntu, the stack exchange site specifically for ubuntu questions.
To answer your question, I'd recommend reading the ubuntu article on user management, everything you need to know is there. Here are the relevant sections:
To add or delete a personalized group, use the following syntax,
respectively:
sudo addgroup groupname
sudo delgroup groupname
To add a user to a group, use the following syntax:
sudo adduser username groupname
When a new user is created, the adduser utility creates a brand new
home directory named /home/username. The default profile is modeled
after the contents found in the directory of /etc/skel, which includes
all profile basics.
If your server will be home to multiple users, you should pay close
attention to the user home directory permissions to ensure
confidentiality. By default, user home directories in Ubuntu are
created with world read/execute permissions. This means that all users
can browse and access the contents of other users home directories.
This may not be suitable for your environment.
To verify your current user home directory permissions, use the
following syntax:
ls -ld /home/username
The following output shows that the directory /home/username has
world-readable permissions:
drwxr-xr-x 2 username username 4096 2007-10-02 20:03 username
You can remove the world readable-permissions using the following
syntax:
sudo chmod 0750 /home/username
A much more efficient approach to the matter would be to modify the
adduser global default permissions when creating user home folders.
Simply edit the file /etc/adduser.conf and modify the DIR_MODE
variable to something appropriate, so that all new home directories
will receive the correct permissions.
DIR_MODE=0750
After correcting the directory permissions using any of the previously
mentioned techniques, verify the results using the following syntax:
ls -ld /home/username
The results below show that world-readable permissions have been
removed:
drwxr-x--- 2 username username 4096 2007-10-02 20:03 username
I have installed jenkins on linux machine and configured it.
As part of automation of build process, I want to copy my war form one directory to another. I tried doing so using the PRE BUILD ACTION and executing shell command.
cp /from directory /to directory
Build fails giving permission denied. I have tried several ways by providing root level permission to the user I log into the jenkins.
Nothing works.
I am not if I am giving permission to the right user or not.
Any help would be highly appreciated.
Please note I am new to LINUX/UNIX.
To find out the user that is starting Jenkins, use whoami in a pre build action and look at the build log to see what user is carrying out the build scripts. It will probably be different than the user that owns the folder you are trying to get jenkins to copy the war into.
Rather than make the user that jenkins is running a root user (a security risk since now your jenkins scripts can perform privileged actions), you can add that user to the same group that the user that owns the folder is in.
Lets say I ran whoami in a jenkins script and the user turned out to be user1, and the user that owns the folder you are trying to copy the war into, user2. You would want to add user1 to the same group that user2 is in, and modify the folder permissions to allow modifications of people in the same group.
To add user1 to the same group as user2:
usermod -a -G user2 user1
Then modify the permission of the folder you want to copy into:
chmod g+w /path/to/directory
On a vagrant box precise64 (ubuntu 12.04)
While creating a user resource with Chef, the home directory is not created:
My recipe:
user "myuser" do
supports :manage_home => true
shell "/bin/bash"
home "/home/myuser"
comment "Created by Chef"
password "myencryptedpassword"
system true
provider Chef::Provider::User::Useradd
action :create
end
When I authenticate:
$ su - myuser
Password:
No directory, logging in with HOME=/
Update - The workaround for precise64 (Ubuntu 12.04 64bit)
directory "/home/myuser" do
owner "myuser"
group "myuser"
mode 00755
action :create
end
While system users usually don't have a home dir, chef will create the home dir even for system users if you specify home. I've tried it, and cannot reproduce the issue.
What is going on is a little bit hidden in the documentation. The chef documentations says:
system | Use to create a system user. This attribute may be used with useradd as the provider to create a system user which passes the -r flag to useradd.
If have a look at the man page of useradd:
-r, --system
Create a system account.
System users will be created with no aging information in /etc/shadow,
and their numeric identifiers are chosen in the SYS_UID_MIN-SYS_UID_MAX
range, defined in >/etc/login.defs, instead of UID_MIN-UID_MAX
(and their GID counterparts for the creation of groups).
Note that useradd will not create a home directory for such an user,
regardless of the default setting in /etc/login.defs (CREATE_HOME).
You have to specify the -m options if you want a home directory for
a system account to be created.
However, it seems like chef is passing the -m option explicitly if you specify a home dir. I could not reproduce this issue therefore.
Did you add the home attribute to the recipe after the user was already created? When I was first hacking around with creating a system user, I didn't add the :manage_home and home bits to the recipe until after I had run the recipe and verified that the user was created. Subsequent runs of the recipe after adding home directory management and the home attribute didn't actually work until I deleted the user and run the recipe again.
I assume that useradd won't execute again if the user already exists, so adding -m via the recipe wouldn't happen unless and until the user is deleted and the recipe re-runs against a clean system and sends useradd -rm.
I was able to reproduce this problem and work around it.
The hint was in the chef docs for the user resource.
"[homedir] will be created unless CREATE_HOME in /etc/login.defs is set to no". On a fresh Ubuntu install that line did not exist. Perhaps it defaults to no if missing.
In /etc/login.defs I added:
CREATE_HOME yes
Once that was added my chef run would complete and create the homedir allowing my to then modify contents of the user homedir. This method may be simpler than manually creating homedirs for each user.
What I'm basically trying to do is allow jenkins access my android-sdk-linux folder and all the sub-directories. My boss does not want to change permissions on the folder himself. I am supposed to do it during the build process. I have seen some examples that run some commands in the execute shell during the build process. Is there some commands that can I can run in that execute shell so that jenkins can have read write and execute authority on my android-sdk-linux folder?
As bcolfer said, you should be able to just run your shell commands with "sudo" in front of it. You will want to be sure that the user that started the Jenkins slave is a sudoer.
As root, run "visudo", this will open the /etc/sudoers file. At the bottom add a line similar to this if it is not a current sudoer:
jenkins ALL=(ALL) NOPASSWD: ALL
"Jenkins" being the user that started the slave.
OR
You could try adding the user to the group that owns that directory. IF you run "ls -l" you should be able to see the permissions and then the user, and the group that owns the directory. Once you know the group, as root run:
usermod -a -G group Jenkins
"Jenkins" being the user that started the slave, and "group" being the actual group name.
One possibility is to use sudo to run commands that specifically target those files. There are a bunch of ways to manage the sudo privileges limit and log what actions happen on those files.