User want from now all files it creates automatically readable to user sparrow, but for no other user. How can he ensure that this happens, the next time he logs in?
I assume the user who created the file should be able to read it as well. I will call him "creator". I further assume that the files should be owned by "creator".
The solution depends on your distribution. If every user has its own group, e.g. group "sparrow" for user "sparrow" only, you can use this group "sparrow" instead of "coworker". If all users share a common group, e.g. "users", you could create a new group that is assigned to user "sparrow" and optionally also to user "creator" as a secondary group. I call this group "coworker".
To make sure that new files get assigned this group "coworker" you can chgrp coworker somedirectory and chmod g+s somedirectory for every directory where "creator" might create files for "sparrow".
You might have to use umask as well to make sure the newly created files are readable for the group. You also must make sure the directory permissions grant user "sparrow" read and execute access (or at least execute access).
If the user creating the files is sparrow:
Edit their shell config (.bash_profile or whatever is appropriate for their shell) and add a umask command:
umask 077
This disables read/write/execute permissions for group/other, for all new files and directories created. (Note this doesn't prevent those permissions from being changed later, it just sets the initial values.)
If the user creating the files is not sparrow:
There is no way to automatically do what you desire. I think the closest you can come is to create a new group, make that group the default for both users, and then set this user's umask to 007.
Related
I am trying to set up a user for my raspberry pi which is restricted to one file. This means that on this file, the user has all permissions (rwx) but on all other files and directories he has not any permission, not even read.
I need this because I want to lend my raspi incl. code to someone else. The one file is my code's config file which the person should be able to change for testing purposes. But I do not want to show my code and other settings.
I tried to set up a user and a group but this means I have to change all files/directories on the raspi. I simply want to restrict the user.
Thanks for any help.
muleque
sudo useradd -m $USERNAME
This will provide you a new user with whatever name you replace $USERNAME with. This user will have access to their own home directory and you can place this file that you want them to have access to here, /home/$USERNAME.
If you want to further restrict this user's access to the rest of the machine you can create a chroot jail which means they can access nothing apart from this directory. There are many options for how to perform this but if the user will access the raspberry pi over SSH here is a simple example.
https://www.tecmint.com/restrict-ssh-user-to-directory-using-chrooted-jail/
I'm using ApacheDS as directory server which is used in applications like Gogs (Git server like GitLab). My idea is to create groups like gogs-users and restrict the login to those group, so that only users who are member of that group are able to login. I have created a groupOfNames for this and a testuser, which is added to the gogs group.
The type of gogs-users is groupOfNames and it has an attribute member which contains the DN of my user (uid=testuser,ou=Users,DC=example,DC=com). So I'm able to see, who is a member of this group.
But I would like to see all groups where a user is a member of. When I open the testuser, I see no attribute that could tell me, that he's a member of gogs-users. I remember that the proprietary Active Directory had an attribute called memberOf whch was queryable in a filter like (&(objectClass=inetOrgPerson)(memberOf=CN=gogs-user,DC=example,DC=com)). That would be exactly what I need.
How can I get this in a free LDAP implementation? I see no way except defining a custom attribute - Which I had to maintenant per hand. That's not good, I would like to have an automated solution, that keep care of those attribute.
Things I already tried
https://stackoverflow.com/a/34502363/3276634 No changes
https://morenews.blogspot.de/2010/12/adding-active-directory-properties-to.html No changes, too
Note: I did a complete reset after each scheme import, to make sure, that my tests are not influenced by previous changes.
Here are Queries that will go either way but ONLY work for Microsoft Active Directory:
Resolves all members (including nested) Security Groups (requires at least Windows 2003 SP2):
(memberOf:1.2.840.113556.1.4.1941:=CN=gogs-user,DC=example,DC=com)
And
All Groups a User is a member of including Nested Groups
(member:1.2.840.113556.1.4.1941:=CN=UserName,CN=Users,DC=YOURDOMAIN,DC=NET))
i am using linux. a want a group only can access to a folder. i create a group and set group of that folder to new created folder. ( by chgrp command ). and change the access to folder by chmod 070( only group can read-write-execute). in last, i add my user to new created folder. in this case i must can change directory to that folder, because i am a member of that group.
i can not access to that file but if i log-out from system and login again, i can use that folder. why this problem occurs? i must run which command to update user groups?
It's because things like which groups a user belongs to are read only on login. Once a user has logged in, you can change the users groups all you want, but it will not be reloaded automatically.
Try:
exec su -l $USER
I think it makes you re authenticate but should work
The setup:
X users each using an instance of a MS Access front end MDE which connects to a single back end MDB.
User-Level access/permission controls in place (e.g. Users, Trusted-Users, Admins).
All changes are made via the Tool->Security->etc. MS Access menu options.
All security is stored in a single secure.mdw file, to which all MDB instances connect.
The problem:
When modifying a particular group's permissions (e.g. Trusted-Users) - say, from being allowed to modify queries, to not be able to modify queries - the change works on the MDB instance the change was made (as expected), but not on the other instances (i.e. MDB instances on the other PCs). Basically, after the change is made, if we then go to one of the other instances and log in as an Admin, we see that the permissions for the group (Trusted-Users) have not changed.
Interestingly (back on the first MDB instance), if we move a user out of one group and into another group, then move to another MDB instance, we now see this change HAS propagated to all other instances - thereby indicating they do point to the same MDW file.
Questions:
Is it the case that modifying a group's permissions on one MDB instance does NOT propagate to ALL MDB instances (even though they point to a single MDB file)?
If yes, does this mean we must then re-install EVERY MDB instance after making a change to a group's permissions?
Or instead, is our approach incorrect? Should we modify group permissions in a different way?
If you need any further information let me know.
Many thanks.
"All security is stored in a single secure.mdw file, to which all MDB instances connect."
The workgroup information file (MDW) stores only the definitions of users and groups. Database object permissions are stored in the database which contains those objects. And the database object permissions reference the users and groups defined in the MDW.
So the permissions for your queries are stored in the MDE files. Changing permissions in one MDE has no effect on the other MDE copies.
You can do one of the following:
distribute updated MDE version to your users
execute DDL statements (GRANT/REVOKE) by administrative user in each MDE
"Interestingly (back on the first MDB instance), if we move a user out of one group and into another group, then move to another MDB instance, we now see this change HAS propagated to all other instances - thereby indicating they do point to the same MDW file."
In that case, you changed the definition of that user. Her permissions will now be those granted to her group membership in the current MDE.
Is it possible to set the Perforce server to by default don't let the users check out a directory, instead of letting everybody update their view-spec to exclude that directory?
Eg: if you would like to check out //code/heavy/stuff you must explicitly add that directory to your view-spec instead of adding a -//code/heavy/stuff yo your spec.
You can install a trigger on the server that generates the default clientspec for a user. With this flexible tool, you can achieve a number of designs. The idea is that when a user creates a new clientspec, the server would fill it in with something other than the default //depot/... mapping for each depot.
One simple idea would be to define the default clientspec to include -//code/heavy/stuff mapping automatically.
Another more advanced idea would be to check to see what groups the user is a member of, and then auto-generate a clientspec appropriate for that user based on his group membership.
If you just want to block people from getting it, then it might be possible with permission mapping.
But then they would never by able to access it, even if they change their client spec.
Maybe you need to (re-)structure your repository so that the heavy part isn't in most users' client specs.