Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17

Thread: Questions about users management

  1. #11
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Questions about users management

    Quote Originally Posted by chrischang2021 View Post
    When I manage the group, user and permission at UNIX and Linux OP.


    I use those command as below : You need to as superuser. You can study it how to use.
    You need to carefully use it when you as superuser you can do anything include kill yourself system.

    chgrp
    chown
    chmod
    Most of the time, chown and chmod do NOT require sudo/admin access. chown does, always. The owner of any file or directory is the only userid who can modify the group or change permissions ... except if we use sudo. But sudo-abuse is all to prevalent these days and people really to bad things to their systems by not understanding Unix permissions. There are thousands of Unix permissions how-tos/guides. Those all apply 100% to any Linux system. It is the same.

    If anyone anywhere suggests using chmod 777, it is because they either don't understand permissions or they are careless with permissions. If you see that in an installation guide for anything, consider the author's other suggestions as suspect too. Every system has 1 directory that is setup with permissions that look to be 777, but are subtly different:
    Code:
    drwxrwxrwt 21 root root   16384 Feb 17 09:57 ./
    That 't' at the end changes everything. It forces the files inside to be deletable only by the userid who created them, not anyone in general. Still, it is best to avoid 777 permissions until you fully, completely, understand, what this really means. By then, you'll know there are better methods.

  2. #12
    Join Date
    Feb 2021
    Beans
    10

    Re: Questions about users management

    TheFu Thanks you more detail and clearly to explain it, I agree it "avoid 777 permissions ", Why Linux system is safe ,because you only allow to do, superuser allow you do level.

  3. #13
    Join Date
    Mar 2007
    Beans
    950

    Re: Questions about users management

    You might be able to come close accomplishing what you want if you create at least 3 users and only allow one to sudo, then arrange groups so that one user can access certain programs and the other can access other programs.

    Or place each application in a group of its own then add those users you want to have access to to those groups. But if you give those users sudo access there are about a gazillion ways to get around it.

    Might it is also worth considering separate VMs for the different roles and restricting access to the VMs to those who need those things.

    None of this would be simple.

  4. #14
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Questions about users management

    Let's break this down.

    So I'm very new to Ubuntu, I have bene tasked with a installing and configuring a 20.04 Ubuntu.
    Installs aren't THAT hard. Configuring doesn't need much, but it depends on all sorts of things. Mainly what you want the system to be used for. Ubuntu systems can do 50,000 things - actually, more.

    So everything is fine, but I would need to have 2 users, both with administrations rights (and different passwords), but independent.
    2 users. Easy
    2 users with sudo. Easy. Different passwords. That is expected. Independent. Not sure what you mean by that. Unix systems can support 64K users, perhaps more. That includes your desktop Ubuntu. They share system resources, storage, RAM, CPU, so they aren't independent, but Unix does keep their process data separate unless they want to share. Groups of users commonly choose to share storage, for example.

    So they could not see/manipulate each others home/folder/files, the software that each one installs is not applied nor accessible from the other... etc
    Well, if they aren't administrators, then users have control over the access to their HOME directory. They can install programs separately, but that is not the Ubuntu way. In general, software gets installed across the entire system by the administrator and anyone with an account can run it. The data files for that software is separate - per user. This is Unix.
    However, if a user has admin rights, then they can elevate their current access and do almost anything to the system and other users and any data located on the system, if that is their desire. But the admin needs to request this access and be authorized. Every time that happens, it is logged. There are easy ways for an admin user to change to a different userid - the change will be logged but commands after that are not.

    Is this possible at all? I have been doing some tests in the Ubuntu settings, but I have not been able to do it
    At all? Sure. In the way you posted, no.
    http://linuxcommand.org/tlcl.php has more about this stuff. You say you are new, which is why I provided that link. It has lots of background along with commands, so you don't see what to type, but why and when. Unix isn't about entering 20 commands to accomplish something. It is about understanding the underlying ways that things work, so you can accomplish brilliant things that were not expected.

    As rsteinmetz70112 says, you might be able to accomplish what you want using virtual machines. However, the admin who controls running each VM on the host would be able to see everything in each guest VM unless there was full encryption and the hostOS admin didn't know the encryption keys. I've not tried this, but I could see where that would work. Have the VM host provide block storage to each guest VM and let your "users" have admin on their machine only. Don't allow any other users on each VM. When the machine is running, the storage would be unlocked for the VM, but not for the host, so the host Admin wouldn't have access. If you do this, you'll have many other challenges - like how to backup the systems and data efficiently. I don't have a good idea for that, but I use "pull" backups from a network backup server to prevent malware/cryptoware from harming the backup storage.

    If this is for some school assignment, I seriously doubt the intent is nearly as difficult as your posted question.

  5. #15
    Join Date
    Feb 2021
    Beans
    5

    Re: Questions about users management

    Hi all and thank you very much for taking the time for such comprehensive answers. I really appreciate that. It could be, but this is not school assignment. We do not have proper IT service but I like informatics, and I've been tasked to do this by my boss. Apart from the fairness of that, it is how it is, and I thank you for your help! Great community. I agree with you all that I should start learning from the bottom. All the links and comments are appreciated and I'm on it. My current thoughts now are an administrator account+standard account. Then from the admin account, limit the permissions of some folder, I'd say:
    Code:
    sudo chmod 0700 /home/username
    And maybe the same over some folders in external hard disks.

    Just couple of questions provided that this approach is acceptable:
    * How could I restore the permissions the way they were, if needed? "sudo chmod 0755" from the admin account?
    * I could affirm that the "privacy" of the admin user is guarenteed this way, right? And that the "private things", including files and folders with changed permissions, and passwords, mails, of the admin user are not accessible with the standard. I realize now some of the questions may be against how Ubuntu works. My apologies and thanks again for your helpful advice, will keep reading and learning
    Last edited by nanoemp; February 18th, 2021 at 10:47 AM. Reason: details

  6. #16
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Questions about users management

    Quote Originally Posted by nanoemp View Post
    Hi all and thank you very much for taking the time for such comprehensive answers. I really appreciate that. It could be, but this is not school assignment. We do not have proper IT service but I like informatics, and I've been tasked to do this by my boss. Apart from the fairness of that, it is how it is, and I thank you for your help! Great community. I agree with you all that I should start learning from the bottom. All the links and comments are appreciated and I'm on it. My current thoughts now are an administrator account+standard account. Then from the admin account, limit the permissions of some folder, I'd say:
    Code:
    sudo chmod 0700 /home/username
    And maybe the same over some folders in external hard disks.

    Just couple of questions provided that this approach is acceptable:
    * How could I restore the permissions the way they were, if needed? "sudo chmod 0755" from the admin account?
    * I could affirm that the "privacy" of the admin user is guarenteed this way, right? And that the "private things", including files and folders with changed permissions, and passwords, mails, of the admin user are not accessible with the standard. I realize now some of the questions may be against how Ubuntu works. My apologies and thanks again for your helpful advice, will keep reading and learning
    Ubuntu user accounts automatically create a unique group that matches the username. This can be confusing. The group name and the username do not have to be related, but they are completely different things.

    Don't use sudo so much.
    The owner of any file/directory can change the permissions of that file/directory. So {username} can run this:
    Code:
    chmod 0700 /home/{username}
    no sudo needed.
    BTW, /home/{username} is only convention. It is not mandated or even hard-coded anywhere. The password entry for every userid specifies the HOME directory for that user. /home/ is nothing special.
    Code:
    drwxr-x--- 194 thefu   thefu   20480 Feb 17 19:46 thefu/
    The first "thefu" is the owner.
    The second "thefu" is the group.
    Code:
    $ id thefu
    uid=1000(thefu) gid=1000(thefu) groups=1000(thefu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),132(lxd),133(sambashare),126(docker)
    To get a list of the members to a group, use:
    Code:
    getent group {name-of-group}
    The getent tool understands local file-based users and whatever remote user store has been configured on the system, like LDAP or other directory services. Most home users don't know about getent and would use something like
    Code:
    grep {name-of-group} /etc/group
    Anyways, TLCL book should be clear about users, uids, usernames, groups, gids, and groupnames before heading off into permissions.

    If you want to put things back, the best way is to have automatic, daily, versioned, backups. There are at least 1000 reasons to have those.

    All computers have a flaw when it comes to security. If physical access is allowed, then someone else can always pull the HDD/SSD and connect it to another computer they control, then access anything they like on the disk. There's only one solution to mitigate that. Whole drive encryption. Heck, if I have 90 seconds alone with most Linux computers, I can force a reboot using a flash drive I carry with me, copy off any data I like (I'm root on my flash drive), and reboot the system back into the normal OS. What's worse is that flash drive to accomplish this is distributed world-wide by 20+ Linux distros. We call them "Installer ISOs". Using an Installer ISO in a "Try Ubuntu" mode, provides all the tools and access we need, usually.

    But if the storage inside the computer is encrypted using LUKs, then someone booting from a "Try Ubuntu" or any other distro flash environment can't gain access unless one of the passphrases used to unlock the storage is trivial. LUKS has 8 slots for holding passphrases, so 8 different people can use the same computer, but not share the disk unlock passphrase. I use 4 different unlock methods with my laptop. One is a really long passphrase that I probably couldn't actually type manually. It is a backup for the others. I have 2 yubikeys. One is setup in a challenge-response way. I'm prompted by the yubikey with a challenge. If the correct entry is made, then the yubikey enters a response into LUKS to unlock the storage. And the last 2 use other features of a yubikey along with a shorter passphrase that I know to create a long, 2-part, password entry that unlocks the storage.

    Without encryption, all storage is open to anyone with minimal skills. Just boot from your Ubuntu Installer ISO, choose "Try Ubuntu" from the menu and see what you can see. BTW, this is a method commonly used to fix some startup and storage problems across all Linux systems, so you'll want to have a flash drive with the same release of Ubuntu as you run on your servers and workstations handy.

  7. #17
    Join Date
    Feb 2021
    Beans
    5

    Re: Questions about users management

    Thank you for all the helpful information.

    Regards

Page 2 of 2 FirstFirst 12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •