Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: Give users access to only home directory

  1. #11
    Join Date
    Nov 2011
    Location
    /dev/root
    Beans
    6,055

    Re: Give users access to only home directory

    Quote Originally Posted by bellygrevios View Post
    My other users need to be able to look in a media directory and other files not under /home (such as /var/www and others. I can't just stop them from accessing every system folder.
    * It is a good idea to backup the system before you do this, because you can easily break the system, if you remove permissions or change ownership on certain files.
    --
    Yes, this is possible with Pacman's method. Do you need detailed advice?

    - create a group and add those with higher permissions into that group. You can give it any name (not yet used), for example 'plus'.
    Use
    Code:
    users-admin
    or edit directly the file /etc/group if you know what you are doing

    - set the permissions of some directories to be only accessible by the user and that group, 750.
    Code:
    sudo chmod 750 directory
    (Use the actual name of the directory to be addressed.)

    - set the group ownership of those directories to be 'plus'
    Code:
    sudo chgrp plus directory
    - set the permissions of other directories to be accessible by everybody, 755 (you wrote 'such as /var/www and others')
    Code:
    sudo chmod 755 directory
    - /tmp should always have rwx for everybody, 777, for the system to work properly.

    * Check with
    Code:
    ls -l
    in the directory above the one you want to check, that the permissions are what you want.

    - You may need to set permissions and ownership of certain files too. Then use the file name(s) instead of a directory name in the chmod and chgrp command lines.

  2. #12
    Join Date
    Dec 2012
    Beans
    26

    Re: Give users access to only home directory

    Quote Originally Posted by coldcritter64 View Post
    Then set permissions of 755 for the directories you want left alone (readable to all) and use permissions of 700 on home folders you don't want as accessible. Accounts set to 700 permisssions are then protected from prying eyes as your opening post indicated you wanted, but are still fully useable to their owner and root too of course, just not other users.
    Remove the * (wilcard) in SejiiSenei's post command and replace the actual usernames, one by one, and set the permissions as you indicated you require.

    Edit: on rereading Paqman's post, that is a much better way; setting a special group for the permissions handling would allow easier management for new users added what I posted above OP. A much better option really. cheers and good luck.
    So could I just do this to /* because like I said before server stuff isn't under /home. Also what would the consequences of this be on other users?

  3. #13
    Join Date
    May 2008
    Location
    SoCal
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Give users access to only home directory

    Quote Originally Posted by bellygrevios View Post
    So could I just do this to /* because like I said before server stuff isn't under /home. Also what would the consequences of this be on other users?
    There are a couple of points that might consider that haven't been touched upon.

    • The permissions of a file system tree (i.e. /etc or /var) are best left alone if you are not comfortable with what is needed by the OS.
    • On the other hand you don't need to use /var/www as the web root. I use Apache and have configured /data/www for all of my web content.
    • If you have multiple users that are responsible for the web page content then you need to make the group permissions inheritable. By default, Linux group permissions are NOT inheritable.


    If you do this and set the users /home directory permissions to 0770, the data will be outside of the home directory structure and away from the rest of the OS file structures. You can set the /data permissions any way you want without interfering with OS or the users normal permissions.

    Here is what I do
    1. Create the /data/www file structure
    2. Set the folder /data/www group ownership to www-content (a group I created)
    3. Set the permissions on the /data/www to 2770 ( this sets the sgid bit for inheritance)

    You only need to set the permissions on the folder www in the directory /data. At this point anything created in that folder by a user in the group www-content will have the ownership of $USER:www-content. The permissions for a folder will be 775 and the files will be 664, but no user that is not part of the www-content group will be able to descend into the www directory and therefore can't view or change anything in there.

    Others have described how to create user groups and add user to those groups. None of this will affect normal users or add more than access to /data/www for the users that you do add to the new group you create.
    -BAB1

  4. #14
    Join Date
    Nov 2011
    Location
    /dev/root
    Beans
    6,055

    Re: Give users access to only home directory

    Quote Originally Posted by bellygrevios View Post
    So could I just do this to /* because like I said before server stuff isn't under /home. Also what would the consequences of this be on other users?
    It is a bad idea to change permissions or ownership to /*

    It might corrupt your system, either break it (so that it won't work, or part of it won't work) or leave it open to attacks (break the security).

    You need to be careful with these commands. So read some tutorials on the internet, reread all the advice in this thread, bab1's advice is good, and decide what you want to do!

    But don't do it at once! First backup your system. Then make a test directory, and inside it try the commands. Create a subdirectory tree with some files, and use the commands to create the permissions you want, and test with some users, if they get the access they should (no more, no less).

    When you get this right, you can do it to the real directories.

  5. #15
    Join Date
    Aug 2012
    Location
    Queensland, Australia
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Give users access to only home directory

    Quote Originally Posted by bellygrevios View Post
    So could I just do this to /* because like I said before server stuff isn't under /home. Also what would the consequences of this be on other users?
    Be careful not to do so to any system folders, folders in the Ownership of a user should be alright to change, if all folders affected by the wildcard (*) are user folders then it should be alright, be careful not to accidently change any "lost+found" or system folders etc Edit: especially not from /*. However if more users are likely to be added or removed, using the new group suggestion by Paqman would make your job of administering the system easier.

    If the user "owns" the folder you change the permissions on, keeping the "users" permission setting at 7 (777=u,g,o=user,group,others), means no effect to the user.

    By setting a folder's "group" permissions to 0, no user, also a member of this group, can even view it.

    Setting the "others" number to 0 gives same result as for "group" access, ie. none at all, your folder is accessible only to its owner and root, no "group" access or from "others". Different permissions values in conjuction with group access can cater for varying degrees of access control and administration. Cheers.
    Last edited by coldcritter64; March 17th, 2013 at 05:02 AM. Reason: spelling + noted /* and added emphasis

  6. #16
    Join Date
    Oct 2012
    Beans
    1,762
    Distro
    Ubuntu Development Release

    Re: Give users access to only home directory

    I suspect you may be looking for a quicker way to do this, such as your request about /*. As previously mentioned, DO NOT DO THIS!

    System security and access rights are not a simple "do this" process. You have to look at what you want to do, what actual folders/files are affected, and use a group (or even more than 1) to set who gets access to what, and what that access should be.

    For what you are trying to do, it might be best to first map out what folders/files need what type of access for which users. By mapping this out you'll be able to more clearly see where the groups of the same access needs are - which can give you a hint on a user group to own it and the access rights to be given.

Page 2 of 2 FirstFirst 12

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •