I am trying to set up a user for my raspberry pi which is restricted to one file. This means that on this file, the user has all permissions (rwx) but on all other files and directories he has not any permission, not even read.
I need this because I want to lend my raspi incl. code to someone else. The one file is my code's config file which the person should be able to change for testing purposes. But I do not want to show my code and other settings.
I tried to set up a user and a group but this means I have to change all files/directories on the raspi. I simply want to restrict the user.
Thanks for any help.
muleque
sudo useradd -m $USERNAME
This will provide you a new user with whatever name you replace $USERNAME with. This user will have access to their own home directory and you can place this file that you want them to have access to here, /home/$USERNAME.
If you want to further restrict this user's access to the rest of the machine you can create a chroot jail which means they can access nothing apart from this directory. There are many options for how to perform this but if the user will access the raspberry pi over SSH here is a simple example.
https://www.tecmint.com/restrict-ssh-user-to-directory-using-chrooted-jail/
Related
User want from now all files it creates automatically readable to user sparrow, but for no other user. How can he ensure that this happens, the next time he logs in?
I assume the user who created the file should be able to read it as well. I will call him "creator". I further assume that the files should be owned by "creator".
The solution depends on your distribution. If every user has its own group, e.g. group "sparrow" for user "sparrow" only, you can use this group "sparrow" instead of "coworker". If all users share a common group, e.g. "users", you could create a new group that is assigned to user "sparrow" and optionally also to user "creator" as a secondary group. I call this group "coworker".
To make sure that new files get assigned this group "coworker" you can chgrp coworker somedirectory and chmod g+s somedirectory for every directory where "creator" might create files for "sparrow".
You might have to use umask as well to make sure the newly created files are readable for the group. You also must make sure the directory permissions grant user "sparrow" read and execute access (or at least execute access).
If the user creating the files is sparrow:
Edit their shell config (.bash_profile or whatever is appropriate for their shell) and add a umask command:
umask 077
This disables read/write/execute permissions for group/other, for all new files and directories created. (Note this doesn't prevent those permissions from being changed later, it just sets the initial values.)
If the user creating the files is not sparrow:
There is no way to automatically do what you desire. I think the closest you can come is to create a new group, make that group the default for both users, and then set this user's umask to 007.
I am working on a windows machine that is maintained by our IT department. My user account me lives in a domain dom, which leads to my cygwin user name being dom+me. This is inconvenient because my user name is just me on all other machines that I want to talk to with ssh and so on. Is there a way to remove or hide the dom+ part from cygwin?
Some additional details: My cygwin home directory is /home/me, so that part is fine. Whoami replies dom+me, ssh asks for dom+me's password if I do not specify a user name.
ssh can be told to override the default user name by adding the following lines to the file ~/.ssh/config:
Host *
User me
Afterwards, ssh and scp use the default user name me.
i want to save the user's IP when he connects to it's home folder, this is because i'm a user in a server where my team has a folder where our public_html is located, but we use the same account, so i just want to register who connected.
So i want to make a script that triggers when a connection is made and save the user's IP into a hidden file.
But i don't know if i could leave running a script in background to do it, and How?
If you're a root on that machine, you can simply check the auth log / messages / journal / ... (depends on the distribution). By default sshd logs all you need already.
If you're not a root, then you'll have to keep in mind this will never be secure. You can do this in the user's bash profile, but:
Since it's running as the same user, whoever logs in can just change the file (you can't hide it)
Anyone can workaround the script by executing some other command instead of the shell (for example ssh user#host /some/command will not be logged)
It's not secret.
If that's ok with you, then you just need to add this to bashrc
echo "new connection at $(date) from ${SSH_CLIENT}" >> ~/your_connection_log
Different solution, which should've been the default actually. Most distributions provide login history which you can request for your account without root privileges.
Running last your_username should give you the details of last few logins which cannot be manipulated by the user. (the log can possibly be spammed with entries however)
i am using linux. a want a group only can access to a folder. i create a group and set group of that folder to new created folder. ( by chgrp command ). and change the access to folder by chmod 070( only group can read-write-execute). in last, i add my user to new created folder. in this case i must can change directory to that folder, because i am a member of that group.
i can not access to that file but if i log-out from system and login again, i can use that folder. why this problem occurs? i must run which command to update user groups?
It's because things like which groups a user belongs to are read only on login. Once a user has logged in, you can change the users groups all you want, but it will not be reloaded automatically.
Try:
exec su -l $USER
I think it makes you re authenticate but should work
I've a debian system, when a user try to login, a pam module exec a bash script as root.
I need this script to know who is trying to login.
But the user isn't already connected so basic command as users/w/who ... doesn't work here.
So is there a possibility to retrieve the username of a user trying to get logged ?
Thank you.
Cyrbil
You can also use /etc/profile or /etc/bashrc to grab the user logging in, I typically have a small script that gets executed via /etc/bashrc that gives me details about the user (who it is, connecting from what IP address etc).