Ubuntu Servers :: Give Power Users Ability To Access All Of Their Folders Without Thrashing Security.
Feb 8, 2011
So, I am looking to implement an FTP server with Isolated Client accounts/directories where a client can only access what's in their directory. I also need to provide my internal user's (content managers) the ability to upload, delete, etc from all of the Client accounts. The simple part is creating the secure client accounts. It's a matter of changing DIR_MODE in adduser.conf to 700 or 770, creating a user, having the FTP server chroot them to their home directory, revoke/restrict shell/ssh access and maybe even slap on some ACL to prevent botched permissions.The hard part is figuring out how to give my power users the ability to access all of their folders without thrashing security.
My first thought was to put all of the client user-groups in a parent group and having my internal users inherit group permissions..but you can't have groups inside of groups.My second thought was to put all of the client users in the same group and prey that the FTP chroot is enough to keep them from poking around but then I have the problem of how do my internal users access other user directories if they are chrooted. Do I create a second server without chroot.do I create some weird nested homedir structure..I honestly have no idea how to satisfy both requirements (secure client accounts and privileged user accounts). I need my privileged users to authenticate against Active Directory via Likewise open, LDAP, etc and I don't care how the clients authenticate. Though, I would prefer to have both file and FTP-server level protection just to make sure no one can see the other client's data.
I am not at all convinced by the idea of giving permissions to read,write and execute as these Learning Management Systems say. Let me know what you people have to say? What is the best practise in such situations? I have to get all these LMS run on same web server.
I decided to consult you before making any changes, because the clients' PCs are spread all over the country and I do not have the physical access to their boxes.The idea is to take away the ability of using sudo for common users.I know that the syntax of this file may vary a bit in different distributions.Our OS is Ubuntu 10.10.I created the account 'support' for me and other technician stuff of our department. So, 'support' user must have all the power. And common users mustn't have access to 'sudo'. This is the requirement.As far as I remember, in Slackware the user must be a member of 'wheel' group to be able to use 'sudo' (but I may be wrong).
I just created a 2nd user on my computer. I've got the hard drive that ubuntu runs on, and then a 2tb drive for media. If the 2tb is mounted on my desktop, it won't show up on his desktop even if I'm logged out. It won't show up on his unless I unmount on mine.
If I'm logged out I'm obviously not using it. So why doesn't it show up? He has all privileges. Is there a way to make this work without having to unmount?
I'm running karmic btw. If you need computer info let me know what to type into the terminal and whatnot and I'll paste it all here!
I have my own dedicated server box running (using it for game servers). I access it via ssh and I have root control of it. It has FEDORA Operating System. I wanna give FTP control of different directories to different users. Right now there are no other FTP users except root. I have installed vsftpd and dont know what should I do next? How do I add users (who can read/write/delete files) and How do I restrict them to their home directory?
Here is what I want: username:client1 password:12345 home directory: home/server1 username:client2 password:12345 home directory: home/server2
I want to give priority access for some users when they logon to the Redhat Server. I changed in the /etc/security/limits.conf file but also i am not able to get the priority .
The desktop computer of my two children has a total of three users:
1) The superuser (me) 2) The user 1001 (my elder son) 3) The user 1002 (my younger son)
Both users 1001 and 1002 can not access their files system, and also they can not save any attachments from incoming mails.
What I tried so far: I accessed the file manager as superuser, and went: >Root>Home. Here I right-clicked on the folder User 1001, selected properties, selected the tab 'permissions' and allowed this user to read and write into this folder. I also checked the checkbox �extend this permission to all subfolders and its contents.
The problem is, when I reboot, everything is 'forgotten' and I am at quadrant zero again.
Eventually I should state that part of the folders are from a backup drive, because the hard disk had to be replaced so, once I re-installed the OS on the new hard drive, I copied the folders from the backup drive into the home folder.
One last question: Is there a good tutorial about permissions?
a small lab of linux servers contains two servers. the administrator wishes to permit user settings and project files to be available when users log in on any machine descibe the server processes needed on the servers
I have configure few folders access by 3 users, In common folder only users that create that document can do changes. The rest of the users can only read the file but can not do changes. Ownership of the folder is admin, group is sambashare which already have the access create and delete files. All the 3 users already in sambashare main group, and they only can edit the file that they copy or create to the common folder .........
We use PAM to control access to our RHEL4 servers. We would like PAM to give a message, of our choice, when users who are not allowed to login try to login. PAM's default is to let the user try 3 times without any explanation.
Apache by defaults points to /var/www/eachdomain. I need to be able to give users ftp access to /var/www/specific domains.
It seems that if I change the owner of /var/www/specificdomains/ to the user in question, then www:data no longer owns the directory and Apache starts to have issues..
What's the best way to set this such that I can allow users to FTP into specific directories, and still have www:data own them? I'm currently using vsftp, but that can easily change.
I have a log server that collects logs from all the cisco devices on our network.he company policy states that any logs should only be accessible by root. So I have the following permissions set on the directory, as well as everything inside the directory where the cisco logs are kept.
Code: drwx------ 65 root root 4096 Apr 29 7:38 rsyslog The cisco folks are requesting access to these logs, which is allowed by company policy.
When I connect with my ubuntu 9.10 x86_64 freenx server from Linux/Mac share folders from client side will properly mounted and I can use with no problems.
When I connect to the same server from windows box, I get this error message:
Quote:
Info: Share: '//COMPUTER/FOLDER' failed to mount: mount error(5): Input/output error Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
Last two days I was googleing a lot about this but all I tryed didn't work.
Is there somebody share folder works from windows connection?
I've set up smbd 3.4.7 on 10.04x64 LTS server. I've set up a couple shares and I'm having problems blocking access to certain directories using native file permissions. There is one directory that has folders for each sales rep to store their current list of quoted clients, I only want sales people to be able to browse the directories owned by themselves. Everything seems to be set up correctly in terms of user groups and permissions on the filesystem.
Below is marina, a sales rep, and brian, a super user of sorts. id marina: Code: uid=1011(marina) gid=1006(office) groups=1006(office),1005(sales) id nick: Code: uid=1000(brian) gid=1006(office) groups=1006(office),118(admin),1001(full),1002(processing),1003(management),1004(it),1005(sales)
Below is the directory with all the sales reps folders. ls -la: Code: total 60 drwxrwxr-x 15 root it 4096 2011-02-10 20:06 . drwxr-x--- 9 root office 4096 2010-11-19 12:40 .. drwxrwx--- 13 katya full 4096 2010-12-07 12:36 Katya drwxrwx--- 18 lana full 4096 2011-02-08 17:09 Lana drwxrwx--- 23 marina full 4096 2011-02-10 18:09 Marina drwxrwx--- 4 mike full 4096 2011-02-01 12:42 Mike
With this setup marina only be able to browse her folder, but she can browse all folders and has full write access to all folders. This leads me to believe something is up with the smbd.conf file, which is below.
Code: [global] workgroup = COMTREAD null passwords = no server string = Root Server dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 .....
In this case the valid users directive would not work cause I am not making a share for each user. I had this on other shares like the db2 share. My windows box lagged heavily when I tried to access that share with an invalid user. How to deny users the ability to modify permissions I would also like to do that.
I have problem with virtual users in vsftpd. When they create folder they cant make another in than folder, or for example they cant see files they upload in that directory...That write permision i try to change in their config file, with every combination of local_umask and file_open mode values. How can I handle that. I want that virtual user who creates directory (in their root directory) have all privilages to that folder and all content in that folder.
I've installed Ubuntu Server 7.10 Gutsy and Webmin 1.500 on it. The thing that I want to do is: I want to share a folder an sub folders for windows users ( guest user) I should modify those folders from my ubuntu desktop 9.10 karmic they are all same folders. Is it possible? if yes how can i make it. you can tell from webmin or samba configuration file.
I have a machine (lets called it machine 1) with two networks card, eth0 and eth1. Both have static IPs. Once in a while the machine refuses to give access to the Internet via Firefox (eth0 is the route to router). Other machines on the network have no problems accessing the Internet. Eventually the machine would just magically start working again, but this time it just seems to have stayed broken. I've done some simple diagnostics and found:
a) I have another machine running Apache with a Wiki on our network - [URL]. Machine 1 is unable to connect to this Wiki. I get 'the connection has timed out'. I can ping 192.168.1.73 and it responds in the usual fashion.
b) If I try to ping www.google.com it times out with: ping: unknown host www.google.com. I can ping google using its IP address.
c) On machine 1 I have tried traceroute on both www.google.com and its IP and I just get:
1 * * * 2 * * *
And so on until hop 30. Doing this on any other machine on the network works. So while it seems I can ping internally in our network and outside, but when it attempts anything traceroute or URL related it does not work.
I just realized that I can access other users files and they can access my files simply by using the console to navigate the file system, Its not that big a deal, I am the only one using the computer but this seems like something is not configured correctly. Should each user be able to look at and modify each others files by default? (On Xubuntu 10)
1- I've set up 3 virtual users,one of them is a system one (with a different password) and writes on his own home folder. With this one I haven't found any problems yet, but with the other 2 users I can't access files/folders created by them. It's a permissions problem for sure, but I'm not sure how to correct it.With these users I can upload files, create files and create folders. The problem is I can't access what I create (I can't enter a folder I created but it is there and I can upload files into it).
2- Whenever I turn on ssl_enable=YES I can't access the server (even from the server itself when I connect to localhost, It's a regular Ubuntu installation).Here's the config file for the users:
How yo get ride of access denied 404/403 for localhosts other folders? i am using lamp and trying to access my site which is placed in a folder wthin the document root. but its showing access denied. how i can edit permissions?
I configured my apache2. On my Intrepid I had apache2.0 while on my Karmic I have a apache2.2. Aftere configuring I tested it and got a an error page when I tested it in my web browser. I looked into the log file that showed the following error "[client 127.0.0.1] (13)Permission denied: access to /my_dir/ denied".
It appears apache2.2 can't access directories in my home folder. File system rights for the files and folders are correct. There is no AppArmor profile for Apache. User settings in "/etc/apache2/apache2.conf" file are correct. The inaccessible folder in "/etc/apache2/sites-available/default" looks as follows:
[Code]...
A trick using symbolic links didn't work either. On my previous Intrepid with Apache 2.0 my pages worked like a charm. Now on my current Karmic (before apache2.conf was pre configured, now it's not) with Apache 2.2 my pages are wrecked. how I can make Apache2.2 access folders in my home folder and which settings are needed in default file for that?
Just installed lamp, I can access phpmyadmin mysql is set up and everything. When I try to view a directory [URL] I get an access denied error.
EDIT: I changed the permissions of the "folder" folder itself, I can access everything in that directory now but not any other folders in it. Do I really need to go through every folder every time and change the permissions?
I've managed to setup Ubuntu Server 9.10, and created folders/files toview/edit/execute with Windows and Mac.
Now here is my dilemma, this is for a home server, and I will have 4 users(1 for myself, one with "admin" rights, my fiance(mac user), media pc, and a "guest" account for the computer or 2 that are out in the public(they don't need access to my taxes ).
I'd like to have it so that on my laptop, I can access the whole server, but some files/folders would even need me to put in a password. I want to do this because my fiance gets delete happy and deletes things, so if she goes on my computer she won't delete important info. I'd like her to have access to music, photos, and videos, as well as her having her own folder that she can treat as her hard drive.
The question is, do I need to setup a domain for this, or can I get away with a workgroup?
I have a server setup with all my web development stuff in /var/www and in several sub-folders within that. (each project having it's own folder)It works great with one FTP account. But recently I've been getting help on a projects from a buddy of mine that freelances, and have made him an FTP user account as well. All is fine, except for when he tries to edit a file and gets a permissions error.
Here's the issue, I don't want us to have the same FTP login, but all the files are currently owned by my user name. So, when he logs in to edit a file, he can't because I'm the owner, and the files are set to 744. Will I cause any harm by adding both users to the same group (www-data) and chmod'ing the files to 775 so that we can both access and modify the files?
Quick question - I would like to know how to prevent users from accessing directories above the directory used for ftp. I'm running proftpd and I'm able to connect outside of my LAN, however all user accounts can click "Up to higher level directoy" and access everything, all the way up to the root directory. How can I make this unaccessable/not visible to users connecting to my server, allowing access only to the directories and subdirectories I have specified?
I've got a Samba server (CentOS)(I swear all my non-work boxes are Ubuntu) that has been working fine in our Active Directory environment for a long time, now that Windows 7 has been forced upon us, we've noticed that Win 7 users aren't able to authenticate to this server unless they access it using the IP address, e.g. \192.168.1.22. We've tried the different Windows 7 registry hacks and nothing makes a difference. We were advised to update Samba and we did to 3.3.8. However, this being a virtual machine, upgrading a clone of this machine did work, the configuration was identical, except the hostname
This morning I found none of the sites were responding. The server itself sounded like it was thrashing the hard drive.
It wasnt responding to the FTP client or SSH connections. Web pages just sat there like they were loading very slowly but never actually loaded.
How can I find out what went wrong. I dont have a massive amount of experience with linux, particularly the server variant.
Its worried me a little that the drupal report shows several page not found errors like someone (a bot maybe) was trying to see what php setup files they could access.
