We have a RHEL server where multiple users have access to it through application. Application RStudio running on these servers default the workspace to the users /home folder. Though there is separate space provided for individual users, users tend to store the files onto /home filling up the /home.
Is there any possibility to restrict users from storing data to their home folders either at server level or R Studio level which would force them to use the provided location?
Though there are options to change the default workspace for all the users, due to the large number of teams each having their sensitive data, it is not possible to have a shared folder as default location.
You could create a group without write permissions on home folder and start rstudio through the command sg, which allows you to start it with the group id with reduced permissions.
The ls -l command displays directory contents in long format. The long format contains both permissions and ownership.
# ls -l
With chown you can change owner and group associated to a file/directory (-R == recursive)
# sudo chown -R user01:groupA Directory
By setting the owner and the single group, the others will have restrictions (if set) in accessing files / folders.
The chmod command is used to modify the various permissions/restrictions.
# sudo chmod -c ug=rwx,o= file1
going specifically
-c == report if the change is made
u == user
g == group
rwx == read, write, execute
o == others
=null == no permission
For create a new group you can use groupadd
# sudo groupadd rstudiogroup
You will have to set the new group created as the owner of the save destination folder and finally start the software through the command sg
# sudo sg rstudiogroup -c rstudio
Related
I want to give specific users permissions to specific folders, with different levels of permissions (Read, Write, Execute) in Linux. And to do the same for some groups.
For example I want to give the user: sigmundlucas permissions (Read, Write) for promotional_material
Another example is that I want to give the group: testers permissions (execute) for development_project_data_directory
I need to do all of this from the root account as the folders in question don't allow permission to use chmod when signed into the user
I need to add that multiple groups/users need to access some of the files
This is normally accomplished with chown and groups!
Make some groups for you users to be members of
Then chown the directory to be :<group>
For example
groupadd mygroup # create a new group
usermod -aG mygroup myuser # add the group to the user's info
chown :mygroup target_directory # set the group to own the directory
chmod 770 target_directory # root and the group can enter/read/write
You can calculate the chmod with a website like https://chmod-calculator.com/ if you're not used to the numbers
Gotchas
directories need to be executable to be entered
users must be able to read all the intermediate paths to somewhere you want them to be able to write
As a web developer I always have the problem when updating PHP (and other) files from an SSH client, because I am logged in as a user or simply root.
After that update I always have to run manually from a terminal 'chown -R apache:apache *' to make the files accessible.
I tried to make a user ID and add it to the group 'apache' and add the apache user to the group of my user id. That works only for existing files on the server file system, because newly created files have permissions rwxr--r-- which does not allow writing by my user even as it is in the 'apache' group.
I'd like to make a login (shell is not needed) for the Apache user, so I can use an SSH based file browser like Forklift to login as Apache or use sshfs to mount as Apache user.
Another way is make umask that my user id always sets attributes of newly created files from sshfs mount or a file browser (mounted with my user id, not root) that they have permission rwxrwxr-- (i.e. 0775) by default.
Is there a way I can upload files to the server (updating existing op create new ones) without having to worry about permissions by Apache ?
You have to set the setgid
For example, do the following steps:
adduser hugo
addgroup apache
usermod -a -G apache hugo
mkdir /tmp/example
chown hugo:apache /tmp/example
chmod g+s /tmp/example
su hugo
cd /tmp/example
touch my_file
ls -l
I have few directories with files on debian 9 system. I want to disable privilege to read these directories for everyone than owner, but I want to let some users list files in this directories only by my own script in bash.
I change privileges to directories and to my script but i get "permission denied" when i try using it. I understand why, but cant fix it.
OKAY after we had a small chat I understand the following:
that you (your user is called user0) have a directory with some files in it, and you have a special category of users (user1,user2...usern) on your machine that you want to give access to this folder. First you must create a group called for example "cowboys" witch the users who will be privileged to read, and execute the folder will add.
# create the group cowboys
groupadd cowboys
# add user1, user2, etc to the group
usermod -a -G cowboys user1 user2 .... usern
Lets admit your folder that you want to give access to is called "/somehow/there/dictionary"
So after you created the folder and joined it, you chown it to you and the group cowboys
chown user0:cowboys /somehow/there/dictionary
in the next step you must chmod the folder it in a way that you can read(400) write(200) and execute(100), cowboys can read(40) and execute(10) and rest of the word can nothing(0).
chmod 750 /somehow/there/dictionary
the last step is that you now must chmod the files in the derectory
1) The executable files you must chmod very similar to the way you chmod the folders, because folders need to have "executable" rights for one to "cd" in the folder
chmod 750 /somehow/there/dictionary/*
2) the non executable files you will chmod like this :
chmod 640 /somehow/there/dictionary/*
and this should do the trick.
I was wondering if anyone could explain a bit on Linux permissions for me. I have two groups
Group A - Normal Users
Group B - File Changing group
I want group B to be pretty much exactly the same as group A other than group B are able to change 'message of the day' how could I set it so they have write access to MOTD and group A only have read access?
With ordinary UNIX u-g-o permissions, you can only assign a single UNIX group to any given file. In your case, since "normal users" presumably means "all users", you could just chmod the MOTD file to 664 (group read-write, all read-only), and chown it to root:file_changers (file owned by root, and assigned to the file_changers group).
With Linux ACLs, you can assign multiple groups to a file. Not all filesystems support ACLs. You can use setfacl to alter the permissions:
setfacl -m g:regular:r motd
setfacl -m g:file_changers:rw motd
Note that, in my opinion, ACLs can often be overkill. They can make permission management a hassle if you aren't prepared for them. Consider carefully if you need them; otherwise, stick to the simpler UNIX permission system.
Solution without ACL:s:
You can move the motd file in a directory that is readable by group A and make the file writable by group B. Then place a symlink in place from the original location to the new location.
Example (assuming motd is in /etc/motd):
# mkdir /etc/motd-dir
# mv /etc/motd /etc/motd-dir/
# chown groupA /etc/motd-dir
# chown groupB /etc/motd-dir/motd
# chmod 750 /etc/motd-dir
# chmod 664 /etc/motd-dir/motd
# ln -s /etc/motd-dir/motd /etc/motd
This solution requires that all members of group B must also belong to group A so they can access the directory.
I followed this link to change group/user permission to add my self to www-data group
but I am still unable to edit contents in /var/www , specially with uploaded content.
This is my development environments , I dont want to go to chmod /var/www/ each time there is an upload.
While keeping contents under /var/www what are the steps to change /var/www directory permissions to able to edit contents directly from and an IDE
My login account user and group name is debianaut:
groups www-data
www-data : www-data debianaut
groups debianaut
debianaut : debianaut www-data
I login/out after making these changes. It seems straight forward that if I am user of cretain group I should get whatever permissions they hold .
please help resolve this issue
I suspect your issue is the fact that the user account has more than one group, and the default group is not the one with write permission to that folder.
While Linux allows your user access to multiple groups, it does not provide access to all of them at once. Here are some options to address this:
Change the group used while running in a shell
Change the user's default logon group
Use ACLs
New Group in a Shell
In order to operate as a different user after starting a shell, use newgrp.
Change default Group
In order to change the user's default group, edit /etc/passwd, or use a command to do the job (not sure which command, and it probably differs from distribution to distribution).
ACLs
You will likely prefer to use ACLs. See the man pages for setfacl and getfacl. ACLs (access control lists) are expanded permissions. Not all Linux systems support them, but I would be surprised if your Debian system doesn't. The following should add read-write-execute permission for user debianaut to all of /var/www:
setfacl -R -m u:debianaut:rwx /var/www
By the way - you can check the group id of a running process (such as your IDE), use ps -o gid -p <pid>.
Inheriting ACLs
Following the post here lead to the answer for inheriting ACLs.
The answer is called default ACLs in the man page. The following will set the ACL for denianaut as the default for files created in /var/www:
setfacl -R -d -m u:debianaut:rwx /var/www
I think you should change your umask to 0002:
umask 0002
This could also be useful.
For me the problem has to do with joomla configuration. You need to change the default permissions for uploaded files. This link may help you: http://forum.joomla.org/viewtopic.php?t=286584
There are two relatively simple options, none of them should involve www-data -- you don't want the webserver to have unnecessary write access to your contents.
1) Just take ownershop of /var/www for your userid that will edit the files.
2) Establish a new group, make it one of your secondary groups, and make /var/www group-writable + setgid (chmod g+s) that new group. New files in the setgid dir will have their group set to the shared group.