Solved

Permissions for individual users

Posted on 2004-09-12
13
309 Views
Last Modified: 2010-08-05
Hi, have an SSH box at my house and I gave a few of my friends a shell.  Just so they dont screw around, I've been doing

chmod 700 telnet
chmod 700 nmap

etc..

Now, this effectively prevents them from accessing those programs. Is there anyway to give certain users access, while denying others?

Thanks
0
Comment
Question by:dissolved
  • 6
  • 3
  • 2
  • +1
13 Comments
 
LVL 40

Assisted Solution

by:jlevie
jlevie earned 150 total points
ID: 12038802
You could create a special group, place those users in that group, change group ownership for telnet, nmap, etc, to be that group, and finally set the mode of those utilities to be 0750.
0
 

Author Comment

by:dissolved
ID: 12038810
Ok, so make a new group and throw the users in there.

1. How do I change group ownership for telnet and nmap

2. What do you mean by "set the mode of those utilities to be 0750" ?  

Sorry, still working on this linux stuff :D
0
 
LVL 2

Expert Comment

by:Sunjith
ID: 12039147
>1. How do I change group ownership for telnet and nmap
chgrp groupname /path/to/file

eg:
chgrp special /usr/bin/nmap

You must add the group first:
groupadd special


2. What do you mean by "set the mode of those utilities to be 0750" ?
chmod 750 /path/to/file

The process is something like this:
================
[22:45:51][root@admod:~]# chgrp wheel file
[22:46:06][root@admod:~]# ls -l file
-rw-r--r--  1 root wheel 0 Sep 12 22:45 file
[22:46:08][root@admod:~]# chmod 750 file
[22:46:25][root@admod:~]# ls -l file
-rwxr-x---  1 root wheel 0 Sep 12 22:45 file
====================
0
 

Author Comment

by:dissolved
ID: 12039300
Thanks sunjith.  A few more questions (for anyone)

1. Ok, I created the group "special".   Is it possible to move existing users into it?

2. What does the "chgrp special /usr/bin/nmap"   command do exactly?

3. Would it be possible for someone to give me the exact commands( in order) if its not too much trouble?  Having trouble grasping the concept.

thanks!
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12039381
> Ok, I created the group "special".   Is it possible to move existing users into it?

Yes, edit /etc/passwd and change the group ID for those users. The group ID is the fourth field, e.g.:

nfsnobody:x:65534:65534:Anonymous NFS User:
                                      ^^^^^

The for each user that you've made a member of the special group eecute:

chgrp -R special /home/username

> What does the "chgrp special /usr/bin/nmap"   command do exactly?

That sets the group ownership of the specified file to be special (do an 'ls -l /usr/bin/nmap' before and after and you'll see what happened).

> Would it be possible for someone to give me the exact commands( in order) if its not too much trouble?  Having
> trouble grasping the concept.

Okay, using /usr/bin/telnet, group special => 101 (your value will differ, check /etc/group), and the auser account:

chgrp special /usr/bin/telnet
chmod 0750 /usr/bin/telnet

Now for each user that will have this access:

1) Edit /etc/passwd and change the forth field to be 101:

auser:x:501:501:Special Friend:/home/auser:/bin/bash
--becomes--
auser:x:501:101:Special Friend:/home/auser:/bin/bash

2) Fix home dir ownership:

chgrp -R special /home/auser
0
 
LVL 2

Expert Comment

by:Sunjith
ID: 12039506
>1. Ok, I created the group "special".   Is it possible to move existing users into it?
You may also use the following command to add an existing user to group 'special' instead of editing /etc/passwd manually:
usermod -G special username
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 2

Expert Comment

by:Sunjith
ID: 12039525
Also, you need not change the group of the home directory of the users to 'special'. If you change it, all users who are in special group may be able to access files/directories of other users in the same group.
0
 
LVL 23

Assisted Solution

by:Mysidia
Mysidia earned 50 total points
ID: 12039566
You can also add additional groups for a user without changing their main login group
by running "vigr" as root or editing the configuration file /etc/group

it contains lines of the form
groupname:x:groupid:user1,user2,user3

This way you can make multiple such groups if you like

Of course none of these changes will effect users already logged in immediately
(logout+relog will make changes of this nature to take effect)
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 12039568
I mean add a user to multiple groups..

a user can only have one group in etc/passwd
0
 
LVL 2

Accepted Solution

by:
Sunjith earned 300 total points
ID: 12039570
>What does the "chgrp special /usr/bin/nmap"   command do exactly?
In most Unix/Linux based FileSystem, a file has several properties. Some are File permissions, user id and group id. The file permission can be set independently read (r), write (w) or execute (x) for owner, group and others. The owner of the file is the user with the same uid as that of the file. If a file has some gid (say, special [it should be actually a numeral, though 'ls' usually resolves it to the group name]), all users who are part of that group (here, special) can have the permission as set for the group. The others means all those who are neither the owner of the file nor in the group of the file.
What chgrp does (as shown by 'ls'):
=============
[00:40:25][root@admod:~]# ls -l file
-rw-r--r--  1 root root 0 Sep 13 00:39 file
[00:40:26][root@admod:~]# chgrp wheel file
[00:40:29][root@admod:~]# ls -l file
-rw-r--r--  1 root wheel 0 Sep 13 00:39 file
====================

'ls -l' output explained:
=============
-rw-r--r--  1 root wheel 0 Sep 13 00:39 file
|  |    |    |    |    |        |        |   -----------------    |
|  |    |    |    |    |        |        |              |             Name of the file  
|  |    |    |    |    |        |        |              |
|  |    |    |    |    |        |        |     Time stamp of file
|  |    |    |    |    |        |        |
|  |    |    |    |    |        |        This is the size of the file
|  |    |    |    |    |        |
|  |    |    |    |    |        This is the group of the file
|  |    |    |    |    |
|  |    |    |    |    This is the owner of the file.
|  |    |    |    |
|  |    |    |    This shows the number of hard links to this file
|  |    |    |
|  |    |    The next 3 chars are the permissions for the others
|  |    |
|  |    The next 3 chars are the permissions for the group
|  |
|  The next 3 characters are the permissions for the owner
|
This is the file type bit. It shows whether the file is a regular file, a directory, a character special file, a block special file, a fifo, etc.

Hope that helps
0
 
LVL 2

Expert Comment

by:Sunjith
ID: 12039630
There is a slight shift of the vertical lines when it came into the display :-(
Try to read it properly. If there is any doubt, please ask. I shall clarify.
0
 

Author Comment

by:dissolved
ID: 12040829
Thanks guys, especially sunjith and jlevie for the detailed description. I am going to give this a try tomorrow. Wish me luck, I am a unix noob.
0
 
LVL 2

Expert Comment

by:Sunjith
ID: 12040914
Wish you all the best with all your Linux endeavors :-)
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Currently, there is not an RPM package available under the RHEL/Fedora/CentOS distributions that gives you a quick and easy way to allow PHP to interface with Oracle. As a result, I have included a set of instructions on how to do this with minimal …
Network Interface Card (NIC) bonding, also known as link aggregation, NIC teaming and trunking, is an important concept to understand and implement in any environment where high availability is of concern. Using this feature, a server administrator …
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now