I would like to create some users on my ubuntu server. I only want to let the users have read/write access to their home directories, and not be able to read or write to any other user's home directory. Does anyone have a suggestion how to do this? Like is there a way to create a group that has these permissions and then add all the users to the group? Or do I need to create each user, and just grant them only read/write permission on their home directory? I'm new to ubuntu server and when I create a new user, it seems to have all the same permissions that my account does.
First, this question is better suited for Ask Ubuntu, the stack exchange site specifically for ubuntu questions.
To answer your question, I'd recommend reading the ubuntu article on user management, everything you need to know is there. Here are the relevant sections:
To add or delete a personalized group, use the following syntax,
respectively:
sudo addgroup groupname
sudo delgroup groupname
To add a user to a group, use the following syntax:
sudo adduser username groupname
When a new user is created, the adduser utility creates a brand new
home directory named /home/username. The default profile is modeled
after the contents found in the directory of /etc/skel, which includes
all profile basics.
If your server will be home to multiple users, you should pay close
attention to the user home directory permissions to ensure
confidentiality. By default, user home directories in Ubuntu are
created with world read/execute permissions. This means that all users
can browse and access the contents of other users home directories.
This may not be suitable for your environment.
To verify your current user home directory permissions, use the
following syntax:
ls -ld /home/username
The following output shows that the directory /home/username has
world-readable permissions:
drwxr-xr-x 2 username username 4096 2007-10-02 20:03 username
You can remove the world readable-permissions using the following
syntax:
sudo chmod 0750 /home/username
A much more efficient approach to the matter would be to modify the
adduser global default permissions when creating user home folders.
Simply edit the file /etc/adduser.conf and modify the DIR_MODE
variable to something appropriate, so that all new home directories
will receive the correct permissions.
DIR_MODE=0750
After correcting the directory permissions using any of the previously
mentioned techniques, verify the results using the following syntax:
ls -ld /home/username
The results below show that world-readable permissions have been
removed:
drwxr-x--- 2 username username 4096 2007-10-02 20:03 username
Related
I want to add a user who can only execute a few commands and nothing else, at the same time I have created a shared folder (group) where my files are present. I want the user to only execute the files in the shared folder and restrict him from reading it or opening it and so on.
These are the set of commands I am using to create a restricted user. After these commands I am changing the PATH in the .bash_profile file to $HOME/commands directory.
This is how it looked when I login from the user account
I have added the user to the group using this command: sudo usermod -a -G bbc testuser
Now when I change the home directory to the shared file group using usermod --home /path/to/new/directory testuser, it shows like this when I login through the new user
This has no restriction on the commands being used, although ls and cd commands wont run other commands like nano to see the file content works. I want to restrict this as well
So after this If I try to import a python file in the new user it says 'module not found', this same command works in the ec2-user or root user.
Please help me solve this issue.
Thank you
I have an issue with Linux ACL. Here is my work flow:
Set ACL permissions on empty directory:
sudo setfacl -Rdm g:www-data:rw /var/www/mysite/html/vendor/
Change directory:
cd /var/www/mysite/html/
Install composer packages:
composer install
Verify installed file permissions:
ls -la vendor/
All the newly created files and folders belong to my user group instead of belonging to the www-data group like it should...
drwxrwxrwx+ 3 john john 4096
What am I missing here?
Note: If my user creates a file or a directory, the correct group permission will be applied. The problem only happens with the composer command.
I finally found what I was doing wrong. I was confusing file "ownership" and file "permissions".
setfacl is used to set default "permissions" for files created in a directory. What I actually needed was to set default "ownership". This is done by setting the "setgid flag" with the chmod command after properly setting the directory group and user ownership.
I wanted all newly created files in my project directory to belong to the user "john" and the group "www-data".
chown -R john:www-data /srv/www/myproject
Now we set the "setgid flag" on the directory and all newly created files will belong to john:www-data:
chmod +s /srv/www/myproject
That's all and there's absolutely nothing wrong with setting the www-data group on your served files if you set verything else properly. In fact, the most upvoted anwser related to Laravel file permission on Stackoverflow (800+ upvote) recommends this exact method. Those who disagree never provide a better working solution.
To conclude, Unix permissions is a complicated topic. Few people understand how to properly set permissions on a production server, many fluent programmers are newbies when it comes to Linux. Take answers you read on SO with a grain of salt.
I understand this has most likely been answered but for the life of me cannot figure it out.
What is the problem?
I'm running an nginx server and have the user "www-data" own the web server directory and all of it's contents. I run wordpress so it is important that www-data keeps ownership as if it does not, the wordpress UI will not be able to edit files. I also like to use SFTP but have disabled login for any other user besides my own. Currently, when I want to use FTP to edit files, I have to chown the wp-content directory temporarily to my personal user and then re-chown the directory back to the www-data user when finished.
What is the intended outcome?
Ideally, I'd like to configure the file permissions so that I may edit files within this directory without having to chown between users everytime. Is this possible or would I be better off setting my personal user as a root user?
What have you tried?
I've tried chown-ing the directory to a group that both www-data and my user are in. Example being:
chown -R :www-data /path/to/dir/wp-content/*
Where "www-data" is both the name of the web user, AND the name of a group that contains both users: myuser & www-data. Even after doing so, myuser is not able to edit the files within this directory.
If anyone would be kind enough to educate a fool (me) or refer to myself a proper resource, I'd be very grateful! Thanks for your time :)
You should have a user that has associated group, named after that user. So you can do the following:
sudo chgrp -R YOUR_USER_NAME YOUR_FOLDER
this should change owinging group for the data in your folder and that owning group will be your user's group
Then change the privilige for the group using:
chmod -R g+w YOUR_FOLDER
There's already an answer, but I figure I'll give a detailed one anyway, for everyone's sake :)
I'm running an nginx server and have the user "www-data" own the web server directory and all of it's contents
You see where it fails from the beginning, is that any sensitive files can be served by NGINX, unless denied in specifically in configuration, simply because it owns it. It's not good because it won't use chmod permission model as a way to control what NGINX can serve and what it cannot.
There is only one setup that is secure and proper, and I detail it here.
Specifically, each website must have its own PHP-FPM pool, which runs by a website-specific user.
The webserver user (e.g. www-data or nginx) is the member of all website's usergroups, e.g. nginx is member of wordpress usergroup.
This allows to simply have 0750 (dirs) and 0640 (files) permissions, and have no issues at all.
I have installed jenkins on linux machine and configured it.
As part of automation of build process, I want to copy my war form one directory to another. I tried doing so using the PRE BUILD ACTION and executing shell command.
cp /from directory /to directory
Build fails giving permission denied. I have tried several ways by providing root level permission to the user I log into the jenkins.
Nothing works.
I am not if I am giving permission to the right user or not.
Any help would be highly appreciated.
Please note I am new to LINUX/UNIX.
To find out the user that is starting Jenkins, use whoami in a pre build action and look at the build log to see what user is carrying out the build scripts. It will probably be different than the user that owns the folder you are trying to get jenkins to copy the war into.
Rather than make the user that jenkins is running a root user (a security risk since now your jenkins scripts can perform privileged actions), you can add that user to the same group that the user that owns the folder is in.
Lets say I ran whoami in a jenkins script and the user turned out to be user1, and the user that owns the folder you are trying to copy the war into, user2. You would want to add user1 to the same group that user2 is in, and modify the folder permissions to allow modifications of people in the same group.
To add user1 to the same group as user2:
usermod -a -G user2 user1
Then modify the permission of the folder you want to copy into:
chmod g+w /path/to/directory
My server has both Subversion and Apache installed, and the Apache web directory is also a Subversion working copy. The reason for this is that the simple command svn update /server/staging will deploy the latest source to the staging server.
Apache public web directory: /server/staging — (This is an SVN working copy.)
I have two users on my server, 'richard' and 'austin'. They both are members of the 'developers' group. I recursively set permissions on the /server directory to richard:developers, using "sudo chown -R richard:developers /server".
I then set the permissions to read, write and execute for both 'richard' and the 'developers' group.
So surely, 'austin' should now be able to use the svn update /server/staging command? However, when he tries, he gets the error:
svn: Can't open file '/server/staging/.svn/lock': Permission denied
If I recursively change the owner of /server to austin:developers, he can run the command just fine, but then 'richard' can't.
How do I fix the problem? I want to create a post-commit hook with to automatically deploy the staging site when files are committed, but I can't see a way for that to work for both users. The hook would be:
/usr/bin/svn update /server/staging
Using the same user account for both of them wouldn't really be an acceptable solution, and I'm not aware of any way to run the command inside the hook as 'root'.
Any help is appreciated!
Directory Set Group ID
If the setgid bit on a directory entry is set, files in that directory will have the group ownership as the directory, instead of than the group of the user that created the file.
This attribute is helpful when several users need access to certain files. If the users work in a directory with the setgid attribute set then any files created in the directory by any of the users will have the permission of the group. For example, the administrator can create a group called spcprj and add the users Kathy and Mark to the group spcprj. The directory spcprjdir can be created with the set GID bit set and Kathy and Mark although in different primary groups can work in the directory and have full access to all files in that directory, but still not be able to access files in each other's primary group.
The following command will set the GID bit on a directory:
chmod g+s spcprjdir
The directory listing of the directory "spcprjdir":
drwxrwsr-x 2 kathy spcprj 1674 Sep 17 1999 spcprjdir
The "s'' in place of the execute bit in the group permissions causes all files written to the directory "spcprjdir" to belong to the group "spcprj" .
edit: source = Linux Files and File Permissions
I would set up svnserve which is a simple Subversion server using the svn:// protocol. You can set this up so it runs under its own user account, then the repository would only be accessed by that one user. This user could then have the correct privileges to run svn update /server/staging on a post-commit hook.
in your svn repo, you can find a 'conf' directory where you set permissions. you have 3 files there:
authz
passwd
svnserve.conf
you set in the authz file which users have which kind of acces, per user or per group. you set groups there, SVN groups not linux user groups (hashed lines are comments):
[groups]
# harry_and_sally = harry,sally
projectgroup = richard,austin
# [/foo/bar]
# harry = rw -- user harry has read/write access
# * = -- everybody have no access
# [repository:/baz/fuz]
# #harry_and_sally = rw -- harry_and_sally group members have read/write access
# * = r -- everyone has read access
[/server/staging]
#projectgroup = rw
* = r
work around this example and set your config. in the 'passwd' file you set up users passwords. execute
cat passwd
you'll get commented file with explanation how to set it up.
I use WebDAV - all SVN updates and commits are handled via apache and I never have such problems.