Solved

Permissions for individual users

Posted on 2004-09-12
13
311 Views
Last Modified: 2010-08-05
Hi, have an SSH box at my house and I gave a few of my friends a shell.  Just so they dont screw around, I've been doing

chmod 700 telnet
chmod 700 nmap

etc..

Now, this effectively prevents them from accessing those programs. Is there anyway to give certain users access, while denying others?

Thanks
0
Comment
Question by:dissolved
  • 6
  • 3
  • 2
  • +1
13 Comments
 
LVL 40

Assisted Solution

by:jlevie
jlevie earned 150 total points
ID: 12038802
You could create a special group, place those users in that group, change group ownership for telnet, nmap, etc, to be that group, and finally set the mode of those utilities to be 0750.
0
 

Author Comment

by:dissolved
ID: 12038810
Ok, so make a new group and throw the users in there.

1. How do I change group ownership for telnet and nmap

2. What do you mean by "set the mode of those utilities to be 0750" ?  

Sorry, still working on this linux stuff :D
0
 
LVL 2

Expert Comment

by:Sunjith
ID: 12039147
>1. How do I change group ownership for telnet and nmap
chgrp groupname /path/to/file

eg:
chgrp special /usr/bin/nmap

You must add the group first:
groupadd special


2. What do you mean by "set the mode of those utilities to be 0750" ?
chmod 750 /path/to/file

The process is something like this:
================
[22:45:51][root@admod:~]# chgrp wheel file
[22:46:06][root@admod:~]# ls -l file
-rw-r--r--  1 root wheel 0 Sep 12 22:45 file
[22:46:08][root@admod:~]# chmod 750 file
[22:46:25][root@admod:~]# ls -l file
-rwxr-x---  1 root wheel 0 Sep 12 22:45 file
====================
0
 

Author Comment

by:dissolved
ID: 12039300
Thanks sunjith.  A few more questions (for anyone)

1. Ok, I created the group "special".   Is it possible to move existing users into it?

2. What does the "chgrp special /usr/bin/nmap"   command do exactly?

3. Would it be possible for someone to give me the exact commands( in order) if its not too much trouble?  Having trouble grasping the concept.

thanks!
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12039381
> Ok, I created the group "special".   Is it possible to move existing users into it?

Yes, edit /etc/passwd and change the group ID for those users. The group ID is the fourth field, e.g.:

nfsnobody:x:65534:65534:Anonymous NFS User:
                                      ^^^^^

The for each user that you've made a member of the special group eecute:

chgrp -R special /home/username

> What does the "chgrp special /usr/bin/nmap"   command do exactly?

That sets the group ownership of the specified file to be special (do an 'ls -l /usr/bin/nmap' before and after and you'll see what happened).

> Would it be possible for someone to give me the exact commands( in order) if its not too much trouble?  Having
> trouble grasping the concept.

Okay, using /usr/bin/telnet, group special => 101 (your value will differ, check /etc/group), and the auser account:

chgrp special /usr/bin/telnet
chmod 0750 /usr/bin/telnet

Now for each user that will have this access:

1) Edit /etc/passwd and change the forth field to be 101:

auser:x:501:501:Special Friend:/home/auser:/bin/bash
--becomes--
auser:x:501:101:Special Friend:/home/auser:/bin/bash

2) Fix home dir ownership:

chgrp -R special /home/auser
0
 
LVL 2

Expert Comment

by:Sunjith
ID: 12039506
>1. Ok, I created the group "special".   Is it possible to move existing users into it?
You may also use the following command to add an existing user to group 'special' instead of editing /etc/passwd manually:
usermod -G special username
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 2

Expert Comment

by:Sunjith
ID: 12039525
Also, you need not change the group of the home directory of the users to 'special'. If you change it, all users who are in special group may be able to access files/directories of other users in the same group.
0
 
LVL 23

Assisted Solution

by:Mysidia
Mysidia earned 50 total points
ID: 12039566
You can also add additional groups for a user without changing their main login group
by running "vigr" as root or editing the configuration file /etc/group

it contains lines of the form
groupname:x:groupid:user1,user2,user3

This way you can make multiple such groups if you like

Of course none of these changes will effect users already logged in immediately
(logout+relog will make changes of this nature to take effect)
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 12039568
I mean add a user to multiple groups..

a user can only have one group in etc/passwd
0
 
LVL 2

Accepted Solution

by:
Sunjith earned 300 total points
ID: 12039570
>What does the "chgrp special /usr/bin/nmap"   command do exactly?
In most Unix/Linux based FileSystem, a file has several properties. Some are File permissions, user id and group id. The file permission can be set independently read (r), write (w) or execute (x) for owner, group and others. The owner of the file is the user with the same uid as that of the file. If a file has some gid (say, special [it should be actually a numeral, though 'ls' usually resolves it to the group name]), all users who are part of that group (here, special) can have the permission as set for the group. The others means all those who are neither the owner of the file nor in the group of the file.
What chgrp does (as shown by 'ls'):
=============
[00:40:25][root@admod:~]# ls -l file
-rw-r--r--  1 root root 0 Sep 13 00:39 file
[00:40:26][root@admod:~]# chgrp wheel file
[00:40:29][root@admod:~]# ls -l file
-rw-r--r--  1 root wheel 0 Sep 13 00:39 file
====================

'ls -l' output explained:
=============
-rw-r--r--  1 root wheel 0 Sep 13 00:39 file
|  |    |    |    |    |        |        |   -----------------    |
|  |    |    |    |    |        |        |              |             Name of the file  
|  |    |    |    |    |        |        |              |
|  |    |    |    |    |        |        |     Time stamp of file
|  |    |    |    |    |        |        |
|  |    |    |    |    |        |        This is the size of the file
|  |    |    |    |    |        |
|  |    |    |    |    |        This is the group of the file
|  |    |    |    |    |
|  |    |    |    |    This is the owner of the file.
|  |    |    |    |
|  |    |    |    This shows the number of hard links to this file
|  |    |    |
|  |    |    The next 3 chars are the permissions for the others
|  |    |
|  |    The next 3 chars are the permissions for the group
|  |
|  The next 3 characters are the permissions for the owner
|
This is the file type bit. It shows whether the file is a regular file, a directory, a character special file, a block special file, a fifo, etc.

Hope that helps
0
 
LVL 2

Expert Comment

by:Sunjith
ID: 12039630
There is a slight shift of the vertical lines when it came into the display :-(
Try to read it properly. If there is any doubt, please ask. I shall clarify.
0
 

Author Comment

by:dissolved
ID: 12040829
Thanks guys, especially sunjith and jlevie for the detailed description. I am going to give this a try tomorrow. Wish me luck, I am a unix noob.
0
 
LVL 2

Expert Comment

by:Sunjith
ID: 12040914
Wish you all the best with all your Linux endeavors :-)
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Debug VNC connection on CentOS7 server 22 64
cannot connect to openvpn server 9 59
Virtualizing very old guest OS 4 79
Setting up two Raspberry Pi gateways/routers 3 36
Daily system administration tasks often require administrators to connect remote systems. But allowing these remote systems to accept passwords makes these systems vulnerable to the risk of brute-force password guessing attacks. Furthermore there ar…
SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now