Security :: Set Permissions For Multiple Groups To Have Different Levels Of Access To One Group Of Files?
Feb 5, 2010
I am setting up a samba server to operate in a windows AD domain. I want to set permissions for multiple groups to have different levels of access to one group of files, and it looks to me like unix permissions will not do that? I always hear about how robust linux is, and it seems to me that their file permissions model is WEAK compared to microsoft's?
I have a remote directory shared over NFS called tech with perms set as 0750 and owner set to root:tech. I have 2 groups: tech, and techAdmin. tech can read and execute within tech/. techAdmin can read, write, execute. I have 4 users: user1, user2, user3, user4. user1 and user2 is a member of techAdmin, user3 and user4 are members of tech. simple so far...but wait here's the problem. If user1 creates a file inside tech, user2 cant read or modify it because user1 owns it. Here's a few sites that reference this problem:
i want secondary users can able to change the files permissions of primary group?user MAC is having www as a primary and httpd as secondary group. But he want to change the file permissions (chmod) httpd group files. Is it possible or not? I think its not possible. If it`s possible then let me know how?
this directory has permissions 750 and is owned by user1 and group user1 I have an admin user that is primarily a part of group admin, but also a part of group user1 what would stop admin from having read and execute permissions on this directory? I'm running clamav and have a clamd daemon running as user admin (I could run it as any user, and I may make a special user later, but I don't want to run it as user1, user2, etc).
I have 2 (technically lots more, but let's just say 2 for now) users, user1 and user2 that have home directories /home/user1 and /home/user2. each is owned and group owned by user1:user1 and user2:user2 respectively with permissions of 750. my admin user is part of groups admin, user1, and user2 I need this to be able to scan my user's directories using the command (is this correct?):
If I change the directory permissions to 755, it works fine.Or if I leave the permissions 750 and change the directory group ownership to admin, it works fine. So, why would this be? Obviously it is a permissions issue, but why is it not reading admin as part of the user1 group and allowing the same permissions as it does when making the directory group-owned by admin?
I have several directories, each owned by root and a group of the same name,By setting the sgid bit, I made sure that newly created files and directories are owned by the correct group, and that directories have the sgid bit set too.On each newly created directory or file, the permissions are set to 755. This is because this is the default umask, and I cannot change a users umask. I actually only want files created below a particular directory to have group write access, inheriting this behaviour to newly created directories properly.I'm not on samba or NFS, I have to do this for SSH users.The filesystem is ext3.I started to fool around with ACLs, but couldn't find what I was looking for.
We are a school and we share a samba folder with students and teacher groups. What we are trying to do is:
- Give students group users the permissions to rwx own files in folder
- Students must not be able to do anything with others files. I mean nothing so, at most, they could see the files in folder but not read it.
- Teachers can do anything with files in folder
As you can imagine, the idea is that students deliver their exams in that folder without the ability to read/copy the other students files. With sticky bit we can restrict students permissions to their own files, that is ok, but how to restrict all the permissions on other students files without restricting student access to that folder?
Slackware 13 64 bit Hp Photosmart c4280 USB (All-in-one)
- Printer successfully configured using CUPS
- Scanner only works when I am Root.
- When trying to access scanner as user it says there is no scanner attached.
What should be the groups for this user in order to access the scanner? Actually, they are: haldaemon, disk, audio, video, cdrom, plugdev, power, scanner, lp. Below are the outputs for sane-find-scanner (as both root and user), although, since the scanner works well under root, I am almost sure it is a problem with setting permissions and groups.
# sane-find-scanner # sane-find-scanner will now attempt to detect your scanner. If the # result is different from what you expected, first make sure your # scanner is powered up and properly connected to your computer.
Having set up many windows servers with complex permissions on shared folders, I now have to do the same in Linux (and I'm such a noob to Linux) I understand that each file/folder is assigned a user + group, and that the rights can be set for the user, the group and global (aka everybody else) My challenge is this, inside my shared folder there is a folder that should be RW to some users, READ ONLY to others, and not accessible at all to the rest of the users. (lets call the folder MyFolder ) All 3 groups have more than 1 user, so they have to be groups (right?) How would this model work in Linux ? If there is no other way, I guess I can nest the MyFolder in a folder that has permissions to allow all users that may access MyFolder, and block the rest, then on MyFolder, set owner group the RW users, and set global to READ ONLY.
Ps : The server I'm setting up runs Debian Lenny, files will be accessed from windows workstations using samba.
I was about to post a new thread and saw that there are several answers out here already and I have done the new group permission one on my server -- actually on my test server I just added "my user" to the group "root" to gain rw access to /var/www/htdocs/.Someone suggested that the proper way might be to do symlinks to the directory in a real production environment and I wanted to find out if that is the *best* way to go or whether to actually make a group "www_admin" (pick your favorite flavor of this) and add my users to that group?
I guess I am looking for the "best practice" in a real corporate production environment that is most secure.
I have a file server running 10.04. I have a user that belongs to 2 groups (users is the primary and IT is the secondary). I have permissions set up so that this user and other users that belong to the IT groups can read/write files and others have no permissions whatsoever. I have also set the umask to 0007 so that any files created have the effective permissions. My concern is this: since my primary group is users, is it possible for me to create files with the owner group IT for only this specific folder?
I have a directory that needs to be owned by nginx user and I need to access it via other users in order to add/edit/delete files in it. So I created a group called www and added both then chgrp -R on the directory. However I am still getting a "unavailable to access no permissions" sort of error in my SSH/SCP/what ever you want to call Mac's Transmit. ls -a output drwxr----- 3 nginx www 4096 Jul 17 23:56 nginx
I'm using my Linux (SLES 10) server as a File Server at this point. I need to set File Permissions to nested folders differently to different groups. For example:
homesharedengineering* should be read only for groupA homesharedengineeringadmin should be read & write for groupB Plus read only for groupA homesharedengineeringautocad should be read & write for groupC Plus read only for groupA
I've been using Webmin and Putty to set permissions but Putty only allows me the Default Group, it won't allow me to set several groups on the same directory. Webmin seems to allow me to add multiple groups (Webmin --> Others --> File Manager --> Info & ACL tab will provide extended abilities) but when I add multiple groups, they don't seem to take effect? I'm wondering if my setup at the 'Share' level or at the hierarchy of my folder structure (unix based) needs to be set specifically?
OK I have multiple developers on a system and I have setup a area on the web server where they all should have access to and all that fun stuff. Now I do not want to setup these developers default group to be this single group cause they could be members of multiple groups...
/var/www/cust1 - Group Cust1 /var/www/cust2 - Group Cust2 etc...
Then say for the developers:
dev1 - member of Cust1 & Cust2 - Default group is dev1 dev2 - member of Cust2 - Default group is dev2 dev3 - member of Cust1 - Default group is dev3
So when they go into say /var/www/cust1 only dev1 & dev3 should have access to modify files and when they create/edit files the owner should be the user and the group I want it to be Cust1. Then when going to say the Cust2 area new files and stuff have Cust2 group access with RWX.
Is this possible for users to just use their normal accounts, or will I need to look are setting up "project" accounts where they can su into say dev1cust1 account which will have the default group of Cust1?
how you all handle this and what I might be able to do so that the permissions stick.
Dual PII 400, 512Mb with a Promise SuperTrak 100 IDE Array Controller. At present I have only one drive on the controller, configured for 1 JBOD array. I install FC9 with no problem. New partition is created and formatted, Grub is installed, and then... Grub is found and booted, but then I get:
Reading all physical volumes. This may take a while... No volume groups found Volume group "VolGroup00" not found Unable to access resume device (/dev/VolGroup00/LogVol01) mount: could not find filesystem '/dev/root' I can boot in rescue mode, chroot to the installed system. I changed the kernel boot parm "root=/dev/VolGroup00/LogVol00"
I made some files belong to root, so that my sister couldn't read them while she was staying with me, there were about 40 files altogether but I did them all at once by change the permissions of the folder and clicking "apply Permissions to enclosed files" but now I want to change them back to belonging to my user account so Opened a gksudo nautilus windows and I went on folder properties and set the permissions to [user] and clicked apply to enclosed files, but it only did the folder. I tried selecting all the files and changing them all at once that way but it won't let me, how can I make the files belong to me again, other then one by one? I dont know how to use the CLI that much.
I've created a new user for a SSH tunnel only.After login I can access all directories because permissions is set for "Others" to "Access files".Now my question: Is this normal that permissions for Folder access for "Others" is always set to "Access files"?I don't want my SSH tunnel user accessing the directories.
the permissions for my home directory were accidentally changed from 'access files' to 'create and delete files', and I changed them back, but ever since then I am not able to change any preferences/settings at all. power management, themes, panels, emerald, anything. my user account is supposed to be the administrator, and all the user privliges are checked. how to get control of my computer back?
I am setting up a new ubuntu server, and I am quite new to linux. This server will be used as code repository for a project I am going to be working on. I plan to setup 3 groups for users: dev, test, doc
- for various developers, testers and documentation users.
I would like to setup the following permissions on the main code repository directory:
dev - write permission test - execute permission doc - read permission public (anyone outside these groups) - deny all access
I am unsure what chmod setting to use, or if this is even possible in ubuntu.
I would like to create a bash script that creates a single group from all users in other groups.
I've been at it most of the day, and I think I'm making it too complicated. I have about 100 lines of code, and it's still now working the way I would like. I'm starting to trip over my own feet with the amount of if statements and variables.
What should I do if I want to allow access to USB flash drive selectively - Say for e.g. All permissions for "root", "Read/Write" for user "A", Only "Read" for user "B" and user "C" shouldn't be able to access or mount (no permissions) the USB flash drive at all.Also I want to do it by modifying entries in some files or by some commands (so that it can be done programatically if needed)
this is really a brainstorming thread seeking advise on how to setup some samba shares within a small office network. For the quick judgers:
-no I'm not an IT expect and I'm not even the IT at the office, I just fill in this gap too. -I have looked into several samba 'by example' tutorials - none seems to fit my needs or answer some of my Qs.
So I seek advise from your experience: What do I know:
-the functionality of the setgid to have subfolders inherit the group owner of the parent folder -the fact that I don't want samba in 'share' level in order to register the owners of files -the functionality of acls that enables inheritance of rwx permissions to subfoldrs of a parent folder. - the groupmod -o option but that doesn't help apparently.
So this is a 25ppl civil engineer consulting office. The physical groups of ppl working here are: engineers, drafters (those who generate the drawings , i'm not sure if thats the correct term), and secretaries. The job usually is done in the following way, once a project commences a project folder gets generated and everything is done in there. incoming mail arrives there (secretaries put it there), engineers do they calculations on speadsheets, write reports and do draft drawings and, finally, drafters take the draft drawings and finalize them. So pretty much everyone of these 3 groups needs write access to the main project folder.
How do I accomplish that? as which group should I create the project folders? It came to mind the notion of group of groups. Now that the actual owner of the file is not so important anymore (several engineers will need to have write access to the folder) and group becomes important, it would be nice to have the ability to add... groups (instead of users) to groups! so that the permissions to a group are inherited by its children groups... Does such functionality exist of can it be implemented somehow?
How do I go about giving access to everyone and at the same time, NOT giving up on the 'user' secutiry level of samba (and NOT just giving rwx permission to 'others'? Is it possible? or Should I instead forget about individuals and match the 'physical groups' to 'linux users' and 'groups of groups' to 'linux groups'? ( This means I should give on ownership of files by individuals )? Since its a small office some work is mixed - engineers might pickup incoming email, a secretary might do abit of drafting work etcetc.
Is there a way to restrict users that are logged into the shell via SSH/Telnet/SFTP from using the 'cd' command to move into certain directories, yet not use the chmod command to do it? For instance, restrict users logged in from accessing the /var/www/ folder but have it still accessible using a web browser. Also, would this defeat the purpose since they could just wget from it if its still web accessible through a browser?