Tuesday, May 7, 2019

permissions - How to I use Linux Groups to restrict read, write, execute access by other users to a directory?


UPDATE: I figured out what I wanted to do ultimately. See here: https://raspberrypi.stackexchange.com/questions/13401/locking-down-raspbian-to-only-allow-limited-features/58778#58778


I'm super confused by this answer here: https://stackoverflow.com/a/527976/4561887


It says:



The user will need read/execute rights to execute any command (ls, login shell, etc), so you can't easily take all rights away.


Usually it's enough to make sure they can't mess with the home directories of other users. To do this, put the user into a new group (like "untrusted"), chown his home directory and revoke the group and other rights on all home directories: chmod go-rwx /home/*/



But I don't really understand what he's saying. Someone please help me out. Here's what I've got so far, with some of my questions in bold below:


In full:



  1. Make a new user called "guest": sudo adduser guest

  2. Make a new group called "untrusted": sudo groupadd untrusted

  3. Add user "guest" to group "untrusted": sudo usermod -a -G untrusted guest

  4. Ensure user "guest" is now part of group "untrusted": groups guest



    • Output is:



      guest : guest untrusted



    • This means user "guest" is part of groups "guest" and "untrusted." Good.



  5. Take ownership of any directories you want "guest" to have access to. Note that since we used adduser above, guest already has access to his "/home/guest" home folder. However, giving user "guest" of other directories can be done as follows: sudo chown -hR guest /any/directory/you/want/guest/to/own

  6. ??? (did I do the above so far correctly???) --I still want other s to be able to see guest's files. What's the point of making the "untrusted" group anyway? I don't see how it changes anything.

  7. Revoke the read, write, and execute (rwx) Group and Other rights on all other home directories: ??? If I do chmod go-rwx /home/*/, then other sudoers can't even read guest's directories--that's not what I want!--I just want guest to not be able to read others' directories, not quite the other way around, though if I make a guest2 he shouldn't be able to see guest1's directories either, nor should guest1 be able to see guest2's directories, but sudoers should be able to see both guest1's and guest2's directories.


Answer



I don't know why you would need an "untrusted" group if you only have one "guest" (and you should only have one guest, usually). The group "guest" can be used as "untrusted" would. Anyway, I'll try to be brief with an explanation to point you in the right direction:



??? (did I do the above so far correctly???) --I still want other
s to be able to see guest's files.



Anyone who's logged into the account "root" can do this. Either use su -c "do something" or sudo do something. To login as root, use su root (or just su as it defaults to root with no args) or sudo -i (but know that logging in as root is discouraged for novice users).



What's the point of making the "untrusted" group anyway? I don't see
how it changes anything.



Precisely. However, on, say, a fileserver, it can be very useful to have specific groups for specific access purposes. Development and testing environments may benefit from running processes with fewer priviledges, testing untrusted binaries (though jails are better for this). Generally, having an untrusted user can be useful in enterprise, but not for a stock desktop or workstation. There may be plenty more use-cases, so before this digresses, I'll stop at that and leave the rest to your reading.



Revoke the read, write, and execute (rwx) Group and Other rights on
all other home directories: ??? If I do chmod go-rwx /home/*/, then
other sudoers can't even read guest's directories--that's not what I
want!--I just want guest to not be able to read others' directories



No, of course you don't. Revoking g (group) access will mess things up badly in this instance and not achieve your goals (to prevent guest messing with other users' home). Read this short explanation:


The default nature of adding a new user via adduser is:



  1. New user created with matching primary group id.

  2. New user receives a home folder, usually /home/USERNAME/ which that user has rwx privileges for.

  3. By default, no other privileges are given and no supplementary groups are assigned to the user (I hear some configurations do this, but it's not "vanilla" behaviour).

  4. Therefore, simply creating the user achieves everything you've stated you want to achieve. In other words, start over by deleting the user and home directory of the user and don't change anything until you know what, if anything, needs altering. You can see the account's groups after creating it with id USER. Thus you can remove any groups you guest shouldn't be in if your system has odd default behaviour.



I just want guest to not be able to read others' directories



By default, guest can read-only other files. If you want to make files private (visible only to the owner, group, and root), chmod -R o-rwx their directory. The 'o' means "other" or "world". This flag refers to anyone whose is not the file owner or a member of the group that owns the file (with the exclusion of root who is basically your User-Almighty). 'o-x' is needed to ensure directory listings cannot be made as directories are executable (out of scope)



Take ownership of any directories you want "guest" to have access to.
Note that since we used adduser above, guest already has access to his
"/home/guest" home folder. However, giving user "guest" of other
directories can be done as follows: sudo chown -hR guest
/any/directory/you/want/guest/to/own



No. If you want to share folders, create a new group called "shareful" (that's a joke because you must be "careful") and add all users who will share the directory to this group (usermod -aG shareful myuser). Then chown the group ownership of said folder to the shareful group (chown -R :shareful /this/path/) and chmod the permissions so group has rwx (chmod -R g+rwx /this/path). At this point you'll start wanting to look into umask, but that's out of the scope of this post.


Below is a link to umask info, but first, I think you need to re-read up on on basic *NIX file permissions (the first two links).


File Permissions:
(Wikipedia) https://en.wikipedia.org/wiki/File_system_permissions
(UNIX.com) http://www.unix.com/tips-and-tutorials/19060-unix-file-permissions.html


Linux and umask:
(Unfamiliar source) https://www.cyberciti.biz/tips/understanding-linux-unix-umask-value-usage.html


Hope this clarifies things at least enough to achieve what you want.


No comments:

Post a Comment

hard drive - Leaving bad sectors in unformatted partition?

Laptop was acting really weird, and copy and seek times were really slow, so I decided to scan the hard drive surface. I have a couple hundr...