I would like to set up a linux share space in the following way:
I want one user lets call admin to have access to all other users home directories.
I want to be able to create users A,B,C,D,E and have none of them view any other folders except there home folder(and /tmp/ if needed).
I do not want them to be able to view any other files.
I will use this so I can create a user for them they can log in view/edit a file in their home folder and nothing else(or scp a file into it)
How do I do this?
My first thought was to create a group and put them all in that group but I do not want them to be able to view each other’s files.
I notice that the folders in /home/* are only read,write,execute by the owner:
[test2#XXX home]$ pwd
/home
[test2#XXX home]$ ll
drwx------ 3 test2 test2 4096 Mar 7 18:54 test2
Is this sufficient permissions then?
The files in /home/A/ for example are
[test2#XXX~]$ pwd
/home/test2
[test2#XXX~]$ ll
total 4
drwxrwxr-x 2 test2 test2 4096 Mar 7 18:54 testdir
-rw-rw-r-- 1 test2 test2 0 Mar 7 18:54 testfile
User B would not be able to write to these files correct?
If so what do I need to do in order to have user admin able to view all these /home/ folders but nobody else.
First of all you need a user "Admin" who will have rwx permissions on all home directories of users A, B, C, D, E. Here I am assuming that your "Admin" user is not root.
You can refer to this link for achieving this functionality.
Now you don't want any of the user A, B, C, D, E to see each others' files, but a Public folder exists in your Home directory (/home/user) for sharing files with other users. If an other user wants to get access to this Public folder, the execute bit for the world should be set on the Home directory.
If you do not need to allow others to access your home folder (other humans or users like www-data for a webserver), you'll be fine with chmod o-rwx "$HOME" (remove read/write/execute from "other", equivalent to chmod 750 "$HOME" since the default permission is 750). Otherwise, you should change the umask setting too to prevent newly created files from getting read permissions for the world by default.
For a system-wide configuration, edit /etc/profile; per-user settings can be configured in ~/.profile. I prefer the same policy for all users, so I'd edit the /etc/profile file and append the line:
umask 027
You need to re-login to apply these changes, unless you're in a shell. In that case, you can run umask 027 in the shell.
Now to fix the existing permissions, you need to remove the read/write/execute permissions from other:
chmod -R o-rwx ~
Now if you decide to share the ~/Public folder to everyone, run the next commands:
chmod o+x ~ - allow everyone to descend in the directory (x), but not get a directory listing (r should not be added)
find ~/Public -type f -exec chmod o+r {} \; - allow everyone to read the files in ~/Public
find ~/Public -type d -exec chmod o+rx {} \; - allow everyone to descend into directories and list their contents
Related
I have few directories with files on debian 9 system. I want to disable privilege to read these directories for everyone than owner, but I want to let some users list files in this directories only by my own script in bash.
I change privileges to directories and to my script but i get "permission denied" when i try using it. I understand why, but cant fix it.
OKAY after we had a small chat I understand the following:
that you (your user is called user0) have a directory with some files in it, and you have a special category of users (user1,user2...usern) on your machine that you want to give access to this folder. First you must create a group called for example "cowboys" witch the users who will be privileged to read, and execute the folder will add.
# create the group cowboys
groupadd cowboys
# add user1, user2, etc to the group
usermod -a -G cowboys user1 user2 .... usern
Lets admit your folder that you want to give access to is called "/somehow/there/dictionary"
So after you created the folder and joined it, you chown it to you and the group cowboys
chown user0:cowboys /somehow/there/dictionary
in the next step you must chmod the folder it in a way that you can read(400) write(200) and execute(100), cowboys can read(40) and execute(10) and rest of the word can nothing(0).
chmod 750 /somehow/there/dictionary
the last step is that you now must chmod the files in the derectory
1) The executable files you must chmod very similar to the way you chmod the folders, because folders need to have "executable" rights for one to "cd" in the folder
chmod 750 /somehow/there/dictionary/*
2) the non executable files you will chmod like this :
chmod 640 /somehow/there/dictionary/*
and this should do the trick.
I have a new OpenCart website. I and 2 different programmers with 3 separate logins need to edit the same OpenCart file base in the group www-data. I have set the permissions using the instructions below. But these instructions do not account for the 3 different users having permission to edit the files. Do I need to make all the users members of the www-data group?
Any help is much appreciated.
//change user and group
chown -R wyattjackson:www-data
//folds
find /path/to/opencart/root -type d -exec chmod 755 {} +
//files
find /path/to/opencart/root -type f -exec chmod 744 {} +
chmod 775 image
chmod 775 system/storage
First, to ensure that the apache user creates files that are group writeable, you can change the default umask of the apache user by adding the following to either /etc/apache2/envvars (Debian/Ubuntu) or /etc/sysconfig/httpd (CentOS/Red Hat):
umask 002
Now you can either simply add everyone to the www-data group or…
Create a new group
Add everyone (including www-data) to it
Set the group ownership of the docroot to the newly created group
Set the setgid bit on the directory so that all files will inherit it's group: chmod g+s /path/to/opencart/root
The benefit of the second, slightly more complex approach is that you aren't opening up all of the files created by www-data to anyone in that group, thereby giving you a bit more granular control over your server permissions.
I have a directory at
/home/ec2-user/vertica1
and I'm trying to get user dbadmin all privilages in that folder.
I've done chown to dbadmin and chmod 777 on that folder but dbadmin still gets a permission denied error.
If I put sudo in front of the command(I put dbadmi in sudoers), then it works. Why can't I get it to work without sudo?
Can dbadmin traverse /home/ec2-user? Try doing chmod a+x /home/ec2-user
There could be more reasons for being denied, like a specific acl or a LSM but this is the most likely cause.
UNIX permissions on directories
The UNIX permissions rwx¹ work on directories as follows:
r: You can view the contents of the directory (the names of the files or folders inside)
w: You can create new files, delete or rename existing files.
x: You can traverse the folder.
The traverse permission means that you can access the folder children (assuming you know its name -which you can obtain if you also have read permission-).
In this case dbadmin could read and traverse / as well as /home, but /home/ec2-user probably had a mode like drwx------ 2 ec2-user in order to protect its contents. Thus, even if you had an important file readable by anyone deep inside your home folder, other users can't get into it, since they wouldn't be able to go pass /home/ec2-user (which is exactly what you wanted to do, in this case).
¹ Note that I am skipping over the more exotic ones.
what is the result of ls -la for this dir and also parent dir? Maybe the directory doesn't have read permissions for your user.
sudo chmod ug+r vertica1
Also ec2-user directory should be writable by the user dbadmin.
I'm trying to configure my local server htdocs folder to write in it without root powers, but without the ugly way of chmod 777. I created a new group, I set it to the folder, I changed the permissions to 775 and I add my user to this new group. This is the result:
$ ls -ld .
drwxrwxr-x 4 nobody htdocs 4096 ago 27 2009 .
$ id asbel
uid=1000(asbel) gid=1000(asbel) grups=1000(asbel),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),124(sambashare),1002(htdocs)
$ touch test
touch: no s’han pogut canviar les dates de «test»: S’ha denegat el permís
The answer of the last command says that I don't have permissions to write here.
What is wrong here? Also, I want that when I create new folders they have same group permissions since I want that other users of the group could modify them. Is it correct?
For the new group to take effect, you must log out and log in again (opening a new shell is not sufficient)
#n.m. (originally a comment to this question)
Suppose I have a directory on Linux with a bunch of files and subdirectories. This is that root directory:
drwxr-xr-x 13 user1 group1 4096 May 7 15:58 apps
Now, I only want to alter the group portion of those permissions. I want to alter it in such a way that it exactly matches the owner portion. The result for that directory would be:
drwxrwxr-x 13 user1 group1 4096 May 7 15:58 apps
But, I want a script or command to do this automatically, not just for that directory but for every subdirectory and file recursively under it. Anyone know how?
Thanks.
Give this a try (test it first):
chmod -R g=u apps
The = copies the permissions when you specify a field (u, g or o) on the right side or sets it absolutely when you specify a permission (r, w or x) on the right.
That's simple:
chmod g=u <file>