I'm mounting a cloud-drive using rclone, and need to access it from a single user, but under different groups.
Use model:
rclone --vfs-cache-mode writes mount MyBoxDrive: ~/MyBoxDrive &
ls ~/MyBoxDrive
newgrp othergroup
ls ~/MyBoxDrive
Last command returns permission denied.
I tried --allow-other flag but it gives write permissions to any user on the the machine
Related
We have a RHEL server where multiple users have access to it through application. Application RStudio running on these servers default the workspace to the users /home folder. Though there is separate space provided for individual users, users tend to store the files onto /home filling up the /home.
Is there any possibility to restrict users from storing data to their home folders either at server level or R Studio level which would force them to use the provided location?
Though there are options to change the default workspace for all the users, due to the large number of teams each having their sensitive data, it is not possible to have a shared folder as default location.
You could create a group without write permissions on home folder and start rstudio through the command sg, which allows you to start it with the group id with reduced permissions.
The ls -l command displays directory contents in long format. The long format contains both permissions and ownership.
# ls -l
With chown you can change owner and group associated to a file/directory (-R == recursive)
# sudo chown -R user01:groupA Directory
By setting the owner and the single group, the others will have restrictions (if set) in accessing files / folders.
The chmod command is used to modify the various permissions/restrictions.
# sudo chmod -c ug=rwx,o= file1
going specifically
-c == report if the change is made
u == user
g == group
rwx == read, write, execute
o == others
=null == no permission
For create a new group you can use groupadd
# sudo groupadd rstudiogroup
You will have to set the new group created as the owner of the save destination folder and finally start the software through the command sg
# sudo sg rstudiogroup -c rstudio
I have a program called HelloWorld belonging to user test
HelloWorld will create a file HelloWorld.pid in /var/run to keep single instance.
I using following command to try to make test can access /var/run
usermod -a -G root test
However, when I run it, falied
could someone help me?
What are the permissions on /var/run? On my system, /var/run is rwxr-xr-x, which means only the user root can write to it. The permissions do not allow write access by members of the root group.
The normal way of handling this is by creating a subdirectory of /var/run that is owned by the user under which you'll be running your service. E.g.,
sudo mkdir /var/run/helloworld
sudo chown myusername /var/run/helloworld
Note that /var/run is often an ephemeral filesystem that disappears when your system reboots. If you would like your target directory to be created automatically when the system boots you can do that using the systemd tmpfiles service.
Some linux systems store per-user runtime files in /var/run/user/UID/.
In this case you can create your pid file in /var/run/user/$(id -u test)/HelloWorld.pid.
Alternatively just use /tmp.
You may want to use the user's name as a prefix to the pid filename to avoid collision with other users, for instance /tmp/test-HelloWorld.pid.
In Unix, if I run a binary which mucks around with files, does the binary have the same file permissions as myself (the user who ran the binary)?
In most of the cases, the answer is yes!
However this is not true if you have setuid, setgid bits enabled on that binary.
Classic example of binary with the setuid enabled.
ls -ltra `which passwd`
That command would not be able to work, if it could not grant you (the user that execute the command) the same privilege as root during its execution to modify files like /etc/password or /etc/shadow
Have a look at:
https://docs.oracle.com/cd/E19683-01/816-4883/secfile-69/index.html
setuid Permission
When set-user identification (setuid) permission is set on an
executable file, a process that runs this file is granted access based
on the owner of the file (usually root), rather than the user who is
running the executable file. This special permission allows a user to
access files and directories that are normally only available to the
owner.
setgid Permission
The set-group identification (setgid) permission is similar to setuid,
except that the process's effective group ID (GID) is changed to the
group owner of the file, and a user is granted access based on
permissions granted to that group. The /usr/bin/mail command has
setgid permissions
You might also want to have a look at fork and exec if you want to dig a bit further into how does Linux manage processes and subprocesses.
I would like to share a folder called 'files' with user1 and user2 in my Linux account. Is there a way to set the authorizations to read write or execute for only these two users and keep it secure from other users?
To my knowledge, it is only possible to do this for a usergroup as a whole.
Thank you
If your Linux has a "modern" filesystem (ext3/ext4,... )you can achieve this with POSIX ACLs:
Enable ACLs for the FS. --> only required for ext3 and ext4 on kernels older than 2.6.38. All other FS with ACL-support have them automatically activated.
mount -o remount,acl /
tune2fs -o acl /dev/<partition>
Give user1 access to the folder files: (r/w/x)
setfacl -m user:user1:rwx /home/philipovic/files
Give user2 access to the folder files: (r/w/x)
setfacl -m user:user2:rwx /home/philipovic/files
If your linux does not support ACLs you have to create a group:
Create a group
Add the desired users to that group
chgrp the directory to that group, and give permissions with chmod:
chgrp groupname /home/philipovic/files
chmod g+rwx /home/philipovic/files
note: in the above examples we are using r/w/x permissions and therefore giving the users/group FULL controll! don't forgett to change them to the desired permission.
-bash-3.2$ man chgrp | head -1
CHGRP(1) User Commands CHGRP(1)
-bash-3.2$ man chown | head -1
CHOWN(1) User Commands CHOWN(1)
following content is from 'man 7 man':
1 Commands
Those commands that can be executed by the user from within a shell.
8 System management commands
Commands like mount(8), many of which only root can execute.
Why CHGRP(1)/CHOWN(1) cannot be used by ordinary user? In my understanding, CHGRP(8)/CHOWN(8) cannot be used by ordinary user.
Letting non-root user to use chown or chgrp would have many problems.
If user were able to chown otheruser ownfile, then after that, he would not be able to access his own file anymore - not good.
If some evil user hijacked your account, he would be able to change permissions on your files such that they are now owned by other user: like evil user or www user. Then, it would be trivial to steal your data.
If any user could successfully call the chown(2) syscall (e.g. thru chrgrp and chown commands) on files not belonging to him, the user-based access protection provided by the Linux kernel would be useless. A malicious user would change ownership of every file whose access is limited to him
Of course, the user could execute the chown command (e.g. by typing /usr/bin/chown file) but if called from an ordinary user these commands will fail (and have a non-zero exit code) because the underlying chown(2) syscall would fail.
NB: as documented, an ordinary user may chgrp to some group he belongs to.
All users can use chgrp change the group of a file they own to other groups they are a member of. Try this, replacing the group name lpadmin with any second group that are in:
touch t; ls -l t; chgrp lpadmin t; ls -l t
The before and after calls to ls will show that the group changed.