I have few directories with files on debian 9 system. I want to disable privilege to read these directories for everyone than owner, but I want to let some users list files in this directories only by my own script in bash.
I change privileges to directories and to my script but i get "permission denied" when i try using it. I understand why, but cant fix it.
OKAY after we had a small chat I understand the following:
that you (your user is called user0) have a directory with some files in it, and you have a special category of users (user1,user2...usern) on your machine that you want to give access to this folder. First you must create a group called for example "cowboys" witch the users who will be privileged to read, and execute the folder will add.
# create the group cowboys
groupadd cowboys
# add user1, user2, etc to the group
usermod -a -G cowboys user1 user2 .... usern
Lets admit your folder that you want to give access to is called "/somehow/there/dictionary"
So after you created the folder and joined it, you chown it to you and the group cowboys
chown user0:cowboys /somehow/there/dictionary
in the next step you must chmod the folder it in a way that you can read(400) write(200) and execute(100), cowboys can read(40) and execute(10) and rest of the word can nothing(0).
chmod 750 /somehow/there/dictionary
the last step is that you now must chmod the files in the derectory
1) The executable files you must chmod very similar to the way you chmod the folders, because folders need to have "executable" rights for one to "cd" in the folder
chmod 750 /somehow/there/dictionary/*
2) the non executable files you will chmod like this :
chmod 640 /somehow/there/dictionary/*
and this should do the trick.
Related
I want to give specific users permissions to specific folders, with different levels of permissions (Read, Write, Execute) in Linux. And to do the same for some groups.
For example I want to give the user: sigmundlucas permissions (Read, Write) for promotional_material
Another example is that I want to give the group: testers permissions (execute) for development_project_data_directory
I need to do all of this from the root account as the folders in question don't allow permission to use chmod when signed into the user
I need to add that multiple groups/users need to access some of the files
This is normally accomplished with chown and groups!
Make some groups for you users to be members of
Then chown the directory to be :<group>
For example
groupadd mygroup # create a new group
usermod -aG mygroup myuser # add the group to the user's info
chown :mygroup target_directory # set the group to own the directory
chmod 770 target_directory # root and the group can enter/read/write
You can calculate the chmod with a website like https://chmod-calculator.com/ if you're not used to the numbers
Gotchas
directories need to be executable to be entered
users must be able to read all the intermediate paths to somewhere you want them to be able to write
I have a directory at
/home/ec2-user/vertica1
and I'm trying to get user dbadmin all privilages in that folder.
I've done chown to dbadmin and chmod 777 on that folder but dbadmin still gets a permission denied error.
If I put sudo in front of the command(I put dbadmi in sudoers), then it works. Why can't I get it to work without sudo?
Can dbadmin traverse /home/ec2-user? Try doing chmod a+x /home/ec2-user
There could be more reasons for being denied, like a specific acl or a LSM but this is the most likely cause.
UNIX permissions on directories
The UNIX permissions rwx¹ work on directories as follows:
r: You can view the contents of the directory (the names of the files or folders inside)
w: You can create new files, delete or rename existing files.
x: You can traverse the folder.
The traverse permission means that you can access the folder children (assuming you know its name -which you can obtain if you also have read permission-).
In this case dbadmin could read and traverse / as well as /home, but /home/ec2-user probably had a mode like drwx------ 2 ec2-user in order to protect its contents. Thus, even if you had an important file readable by anyone deep inside your home folder, other users can't get into it, since they wouldn't be able to go pass /home/ec2-user (which is exactly what you wanted to do, in this case).
¹ Note that I am skipping over the more exotic ones.
what is the result of ls -la for this dir and also parent dir? Maybe the directory doesn't have read permissions for your user.
sudo chmod ug+r vertica1
Also ec2-user directory should be writable by the user dbadmin.
I don't know very much about different privilege level.
What is the minimum user level required to run node.js, if all I need to do is serve static pages, in a directory.
Likewise, what is the minimum user level required for the dropbox daemon to run in node.js ?
EDIT: For example, in this guide: https://www.linode.com/docs/security/securing-your-server/
One creates a new user to administer the system using this command:
usermod -a -G sudo exampleuser
How does one create a low level, less privileged user that Dropbox or node.js can run as ?
EDIT: I'm not sure which folders to set what file permissions. I wan't Dropbox to be able to run and modify the contents of its folder. I wan't node.js to also have permission to read and execute files in that folder.
A lower level user would not be part of the sudo group. In general you need read access to any files, but not necessarily write.
Typically it is best practice to create a generic user with its own group in isolation.
Then you would setup a directory tree for just that user with its files.
You can either make the files group readable for the special group or world readable. The directories will also need execute permissions.
For the situation you are describing, I would run dropbox as a separate user as well and then make the dropbox folder either group or world readable. The dropbox user should also not be part of the sudo group.
Let's say you have 3 users:
Your primary login user called "user"
node user
dropbox user
Each user is in its own group with the same name. I'll assume your dropbox folder is named ~/Dropbox.
chown -R dropbox:node ~/Dropbox
find ~/Dropbox -type d | xargs chmod 750
find ~/Dropbox -type f | xargs chmod 640
mkdir ~/node
# copy files in here
chown -R node:node ~/node
find ~/node -type d | xargs chmod 750
find ~/node -type f | xargs chmod 640
Note that this turns off the executable bit on all binaries, so you may have to manually fix those. Also note that chmod and chown both require root permissions to modify other user files, so you'll probably need to add some sudo to those commands, but it was already getting long.
This question already has answers here:
How do I change permissions for a folder and its subfolders/files? [closed]
(19 answers)
Closed 4 years ago.
I have a web directory /www and a folder in that directory called store.
Within store are several files and folders. I want to give the folder store and all files and folders within the store folder all permissions.
How do I do this? I am guessing via .htaccess.
If you are going for a console command it would be:
chmod -R 777 /www/store. The -R (or --recursive) options make it recursive.
Or if you want to make all the files in the current directory have all permissions type:
chmod -R 777 ./
If you need more info about chmod command see: File permission
If by all permissions you mean 777
Navigate to folder and
chmod -R 777 .
You can give permission to folder and all its contents using option -R i.e Recursive permissions.
But I would suggest not to give 777 permission to all folder and it's all contents. You should give specific permission to each sub-folder in www directory folders.
Ideally, give 755 permission for security reasons to the web folder.
sudo chmod -R 755 /www/store
Each number has meaning in permission. Do not give full permission.
N Description ls binary
0 No permissions at all --- 000
1 Only execute --x 001
2 Only write -w- 010
3 Write and execute -wx 011
4 Only read r-- 100
5 Read and execute r-x 101
6 Read and write rw- 110
7 Read, write, and execute rwx 111
First Number 7 - Read, write, and execute for the user.
Second Number 5 - Read and execute for the group.
Third Number 5 - Read and execute for others.
If your production web folder has multiple users, then you can set permissions and user groups accordingly.
More info :
Understanding File Permissions: What Does “Chmod 777″ Mean?
What file permissions should I set on web root?
Why shouldn't /var/www have chmod 777
You can also use chmod 777 *
This will give permissions to all files currently in the folder and files added in the future without giving permissions to the directory itself.
NOTE: This should be done in the folder where the files are located. For me it was an images that had an issue so I went to my images folder and did this.
Yes, very right that the -R option in chmod command makes the files/sub-directories under the given directory will get 777 permission. But generally, it's not a good practice to give 777 to all files and dirs as it can lead to data insecurity. Try to be very specific on giving all rights to all files and directories. And to answer your question:
chmod -R 777 your_directory_name
... will work
for mac, should be a ‘superuser do’;
so first :
sudo -s
password:
and then
chmod -R 777 directory_path
This didn't work for me.
sudo chmod -R 777 /path/to/your/file/or/directory
I used -f also.
sudo chmod -R -f 777 /path/to/your/file/or/directory
I'm a little bit confused with Linux permissions. I'm configuring a Git Central Repository that the users access by SSH. I'm using Filesystem ACLs(link) and regular linux permissions. What I intend to do is:
Find a way in that only the users that I want will be able to list/read/write/execute the dir "/var/github" (in a way that I assign a group to the user that I want to give this kind of permissions)
The user "git" is the only user that can create new folders in "/var/github"
This is possible to do? Somes clues on how to do it?
Best Regards,
chown git:git /var/github; chmod 750 !$
Now only the group git can read the folder and only the user git can modify it.
You can use access control lists to grant access to multiple groups. Here's an example session (using Ubuntu, but it should be the same for CentOS) that gives the grp1 group read access and the grp2 group read, write and execute access:
$ touch foo
$ setfacl -m "g:grp1:r--,g:grp2:rwx" foo
$ getfacl foo
# file: foo
# owner: me
# group: me
user::rw-
group::r--
group:grp2:rwx
group:grp1:r--
mask::rwx
other::r--
Make sure that along with the user "git" that there is a "git" group. Add all the users to the group that you will give access to. Change the ownership properties of your directory to user and group git, and then the permission of 750. The ownership and mode commands are as follows:
chown git:git /var/github
chmod 750 /var/github
The permission of 750 lets the user do pretty much anything in the folder and only the members of the group "git" read and possibly execute in that folder. What programs and commands you use for your user management is up to you.