• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 471
  • Last Modified:

Configuring Centos ACL for group access

Hi,

I have a group of developers whom I want to limit access to all folders except for their home directory and a few shared folders.

For example, I want them to:

1) have read, write permissions to their own home directories and sub-directories,
2) can't go to root directory which contains /etc, etc.
3) can go to other directories but can't write or execute except /drid/shared/doc, /drid/shared/software, and /drid/shared/apps.
4) they can run wget and mysql.

Thanks
0
wsyy
Asked:
wsyy
  • 7
  • 2
1 Solution
 
farzanjCommented:
Make a devel group
groupadd devel

Put them into devel group
usermod -g devel first
...

setfacl -m g:devel:-  /etc/

3)  Should be the default
chgrp devel /drid/shared/{doc,software,apps}
chmod 770 /drid/shared/{doc,software,apps}


Having wget is default.
0
 
farzanjCommented:


1) Should be default

2)  Keeping them from going to / entirely would have serious side effects.  Or at least you should know which folders in / they should have at least read and execute permissions so that they can at least continue their development work
I took all privileges of going to /etc which again may have unwanted side effects
setfacl -m g:devel:-  /etc/
0
 
farzanjCommented:
Ok you can also put this ACL which is easy to reverse

setfacl -m g:devel:x /

0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
farzanjCommented:
Some of the restriction you said are kind of unrealistic.

I have given command to keep them from going to / (root) directory completely but they can still go to its child directories.  You have to make this decision yourself, which are the paths where you can to keep them out for the entire subdirectory tree

You would need

setfacl -R -m g:devel:x <tree>

Be very careful as this may have unwanted side effects.
0
 
farzanjCommented:
Please clarify a little bit more.  Also, I think you should make a list of directory trees where the users should not have access at all.
0
 
wsyyAuthor Commented:
hi farzanj,

I saw something like putting ACL constraints in a file, and then somehow execute the file. Do you know how to?

I think that is easier.

Thanks
0
 
farzanjCommented:
Yes, you can put these commands in a file and make it executable and run the file.

File would be similar to this one

 
#!/bin/bash
setfacl -m g:devel:-  /etc/

Open in new window


save as script.sh
chmod +x script.sh
./script.sh

But regardless of all this, you need to decide what folders you want to restrict and how much.  This is critical decision as if you don't do it right, you would over restrict, breaking applications and hurting your operations.  This is why, I am emphasizing to plan and see what you need.
0
 
wsyyAuthor Commented:
You mentioned that some can still access to a sub-folder while its parent folder is restricted. Do we have a way to restrict a folder and its subsidiary folders?
0
 
farzanjCommented:
If a folder's execute permission is not granted, no sub folder is accessible.  It can be accessible when read and/or write permissions are not granted.  So if you want to restrict the entire directory tree, all you need to do is to restrict the parents execute permission.  However, if you want to do that, make sure there is no binary that you want any user to access.  Suppose, for example you restrict /bin folder, so now no one will have access to /bin/bash.  So, the will not even access their shells and they will see all kind of strange error messages.  One has to be extremely careful in doing so.  This is one of the biggest reasons why people cannot configure it right and keep it very open and then hackers get access too.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 7
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now