Making a folder visible for a few selected users in Linux - linux

I would like to share a folder called 'files' with user1 and user2 in my Linux account. Is there a way to set the authorizations to read write or execute for only these two users and keep it secure from other users?
To my knowledge, it is only possible to do this for a usergroup as a whole.
Thank you

If your Linux has a "modern" filesystem (ext3/ext4,... )you can achieve this with POSIX ACLs:
Enable ACLs for the FS. --> only required for ext3 and ext4 on kernels older than 2.6.38. All other FS with ACL-support have them automatically activated.
mount -o remount,acl /
tune2fs -o acl /dev/<partition>
Give user1 access to the folder files: (r/w/x)
setfacl -m user:user1:rwx /home/philipovic/files
Give user2 access to the folder files: (r/w/x)
setfacl -m user:user2:rwx /home/philipovic/files
If your linux does not support ACLs you have to create a group:
Create a group
Add the desired users to that group
chgrp the directory to that group, and give permissions with chmod:
chgrp groupname /home/philipovic/files
chmod g+rwx /home/philipovic/files
note: in the above examples we are using r/w/x permissions and therefore giving the users/group FULL controll! don't forgett to change them to the desired permission.

Related

Restrict users from storing in home directory in Linux

We have a RHEL server where multiple users have access to it through application. Application RStudio running on these servers default the workspace to the users /home folder. Though there is separate space provided for individual users, users tend to store the files onto /home filling up the /home.
Is there any possibility to restrict users from storing data to their home folders either at server level or R Studio level which would force them to use the provided location?
Though there are options to change the default workspace for all the users, due to the large number of teams each having their sensitive data, it is not possible to have a shared folder as default location.
You could create a group without write permissions on home folder and start rstudio through the command sg, which allows you to start it with the group id with reduced permissions.
The ls -l command displays directory contents in long format. The long format contains both permissions and ownership.
# ls -l
With chown you can change owner and group associated to a file/directory (-R == recursive)
# sudo chown -R user01:groupA Directory
By setting the owner and the single group, the others will have restrictions (if set) in accessing files / folders.
The chmod command is used to modify the various permissions/restrictions.
# sudo chmod -c ug=rwx,o= file1
going specifically
-c == report if the change is made
u == user
g == group
rwx == read, write, execute
o == others
=null == no permission
For create a new group you can use groupadd
# sudo groupadd rstudiogroup
You will have to set the new group created as the owner of the save destination folder and finally start the software through the command sg
# sudo sg rstudiogroup -c rstudio

Give a specific user permissions to a specific folder from root

I want to give specific users permissions to specific folders, with different levels of permissions (Read, Write, Execute) in Linux. And to do the same for some groups.
For example I want to give the user: sigmundlucas permissions (Read, Write) for promotional_material
Another example is that I want to give the group: testers permissions (execute) for development_project_data_directory
I need to do all of this from the root account as the folders in question don't allow permission to use chmod when signed into the user
I need to add that multiple groups/users need to access some of the files
This is normally accomplished with chown and groups!
Make some groups for you users to be members of
Then chown the directory to be :<group>
For example
groupadd mygroup # create a new group
usermod -aG mygroup myuser # add the group to the user's info
chown :mygroup target_directory # set the group to own the directory
chmod 770 target_directory # root and the group can enter/read/write
You can calculate the chmod with a website like https://chmod-calculator.com/ if you're not used to the numbers
Gotchas
directories need to be executable to be entered
users must be able to read all the intermediate paths to somewhere you want them to be able to write

Linux group permissions?

I was wondering if anyone could explain a bit on Linux permissions for me. I have two groups
Group A - Normal Users
Group B - File Changing group
I want group B to be pretty much exactly the same as group A other than group B are able to change 'message of the day' how could I set it so they have write access to MOTD and group A only have read access?
With ordinary UNIX u-g-o permissions, you can only assign a single UNIX group to any given file. In your case, since "normal users" presumably means "all users", you could just chmod the MOTD file to 664 (group read-write, all read-only), and chown it to root:file_changers (file owned by root, and assigned to the file_changers group).
With Linux ACLs, you can assign multiple groups to a file. Not all filesystems support ACLs. You can use setfacl to alter the permissions:
setfacl -m g:regular:r motd
setfacl -m g:file_changers:rw motd
Note that, in my opinion, ACLs can often be overkill. They can make permission management a hassle if you aren't prepared for them. Consider carefully if you need them; otherwise, stick to the simpler UNIX permission system.
Solution without ACL:s:
You can move the motd file in a directory that is readable by group A and make the file writable by group B. Then place a symlink in place from the original location to the new location.
Example (assuming motd is in /etc/motd):
# mkdir /etc/motd-dir
# mv /etc/motd /etc/motd-dir/
# chown groupA /etc/motd-dir
# chown groupB /etc/motd-dir/motd
# chmod 750 /etc/motd-dir
# chmod 664 /etc/motd-dir/motd
# ln -s /etc/motd-dir/motd /etc/motd
This solution requires that all members of group B must also belong to group A so they can access the directory.

How make /var/www contents editable by IDE

I followed this link to change group/user permission to add my self to www-data group
but I am still unable to edit contents in /var/www , specially with uploaded content.
This is my development environments , I dont want to go to chmod /var/www/ each time there is an upload.
While keeping contents under /var/www what are the steps to change /var/www directory permissions to able to edit contents directly from and an IDE
My login account user and group name is debianaut:
groups www-data
www-data : www-data debianaut
groups debianaut
debianaut : debianaut www-data
I login/out after making these changes. It seems straight forward that if I am user of cretain group I should get whatever permissions they hold .
please help resolve this issue
I suspect your issue is the fact that the user account has more than one group, and the default group is not the one with write permission to that folder.
While Linux allows your user access to multiple groups, it does not provide access to all of them at once. Here are some options to address this:
Change the group used while running in a shell
Change the user's default logon group
Use ACLs
New Group in a Shell
In order to operate as a different user after starting a shell, use newgrp.
Change default Group
In order to change the user's default group, edit /etc/passwd, or use a command to do the job (not sure which command, and it probably differs from distribution to distribution).
ACLs
You will likely prefer to use ACLs. See the man pages for setfacl and getfacl. ACLs (access control lists) are expanded permissions. Not all Linux systems support them, but I would be surprised if your Debian system doesn't. The following should add read-write-execute permission for user debianaut to all of /var/www:
setfacl -R -m u:debianaut:rwx /var/www
By the way - you can check the group id of a running process (such as your IDE), use ps -o gid -p <pid>.
Inheriting ACLs
Following the post here lead to the answer for inheriting ACLs.
The answer is called default ACLs in the man page. The following will set the ACL for denianaut as the default for files created in /var/www:
setfacl -R -d -m u:debianaut:rwx /var/www
I think you should change your umask to 0002:
umask 0002
This could also be useful.
For me the problem has to do with joomla configuration. You need to change the default permissions for uploaded files. This link may help you: http://forum.joomla.org/viewtopic.php?t=286584
There are two relatively simple options, none of them should involve www-data -- you don't want the webserver to have unnecessary write access to your contents.
1) Just take ownershop of /var/www for your userid that will edit the files.
2) Establish a new group, make it one of your secondary groups, and make /var/www group-writable + setgid (chmod g+s) that new group. New files in the setgid dir will have their group set to the shared group.

How to manage permissions on Linux folders?

I'm a little bit confused with Linux permissions. I'm configuring a Git Central Repository that the users access by SSH. I'm using Filesystem ACLs(link) and regular linux permissions. What I intend to do is:
Find a way in that only the users that I want will be able to list/read/write/execute the dir "/var/github" (in a way that I assign a group to the user that I want to give this kind of permissions)
The user "git" is the only user that can create new folders in "/var/github"
This is possible to do? Somes clues on how to do it?
Best Regards,
chown git:git /var/github; chmod 750 !$
Now only the group git can read the folder and only the user git can modify it.
You can use access control lists to grant access to multiple groups. Here's an example session (using Ubuntu, but it should be the same for CentOS) that gives the grp1 group read access and the grp2 group read, write and execute access:
$ touch foo
$ setfacl -m "g:grp1:r--,g:grp2:rwx" foo
$ getfacl foo
# file: foo
# owner: me
# group: me
user::rw-
group::r--
group:grp2:rwx
group:grp1:r--
mask::rwx
other::r--
Make sure that along with the user "git" that there is a "git" group. Add all the users to the group that you will give access to. Change the ownership properties of your directory to user and group git, and then the permission of 750. The ownership and mode commands are as follows:
chown git:git /var/github
chmod 750 /var/github
The permission of 750 lets the user do pretty much anything in the folder and only the members of the group "git" read and possibly execute in that folder. What programs and commands you use for your user management is up to you.

Resources