Results 1 to 10 of 10

Thread: Everyone sees everything -don't want that

  1. #1

    Default Everyone sees everything -don't want that

    opensuse 11.3 on the Linux box, Windows XP on another box both connected thru a Netgear router.

    It's been a couple of years since I was lucky enough to get swerdnas personal help setting up a previous system. But I've had to read through his tutorials again as the 1998 Maxtor system harddrive apparently achieved it's meantime between failures and crashed. With those excellent resources I now again have my rebuilt Linux box sharing files with the Windows box. Nice!
    Also the printer attached to the Windows box is now shared and I can print from Linux to the Windows shared printer. Excellent.

    At this point tho I find that I've got 2 nagging issues that I need help resolving.
    1. All users on the Windows box can navigate around and see all others user files. Indeed any user can pretty much see everything on this Windows box. At this point all the users are "admin" users and I'm thinking that may be the issue.
    1.a. Do I need to reassign the "common users" to the alternate account type in Windows ("Limited" accounts)?
    1.b. IF so then what do those users lose in terms of working with the system?

    2. Same on the Linux system. All users on the Linux box can logon and see all the other's /home folders.

    How to I resolve a logged on user from being able to see the other user's stuff?

    I do have [homes] share enabled as I'd like to be able to access my own /home folder from the Windows workstation.

    I know there are more details needed but rather than bloat the post with unwanted info, just let me know what I need to post to help resolve.

    Thanks!

  2. #2
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    15,665
    Blog Entries
    3

    Default Re: Everyone sees everything -don't want that

    You can use: chmod og-rx $HOME
    to stop others from seeing your files.

    As root, you could also do:
    cd /home
    chmod og-rx *

    to make that change for all users. But don't be surprised if some users change it back. Personally, I make my home directory visible to all, and I restrict access only to places where I choose to restrict.
    openSUSE Leap 15.3; KDE Plasma 5.18.6;

  3. #3
    Join Date
    Nov 2009
    Location
    ND, USA
    Posts
    1,131

    Default Re: Everyone sees everything -don't want that

    On Sun March 13 2011 11:36 pm, SomeSuSEUser wrote:

    >
    > opensuse 11.3 on the Linux box, Windows XP on another box both connected
    > thru a Netgear router.
    >
    > It's been a couple of years since I was lucky enough to get swerdnas
    > personal help setting up a previous system. But I've had to read
    > through his tutorials again as the 1998 Maxtor system harddrive
    > apparently achieved it's meantime between failures and crashed. With
    > those excellent resources I now again have my rebuilt Linux box sharing
    > files with the Windows box. Nice!
    > Also the printer attached to the Windows box is now shared and I can
    > print from Linux to the Windows shared printer. Excellent.
    >
    > At this point tho I find that I've got 2 nagging issues that I need
    > help resolving.
    > 1. All users on the Windows box can navigate around and see all others
    > user files. Indeed any user can pretty much see everything on this
    > Windows box. At this point all the users are "admin" users and I'm
    > thinking that may be the issue.
    > 1.a. Do I need to reassign the "common users" to the alternate
    > account type in Windows ("Limited" accounts)?
    > 1.b. IF so then what do those users lose in terms of working with
    > the system?
    >
    > 2. Same on the Linux system. All users on the Linux box can logon and
    > see all the other's /home folders.
    >
    > How to I resolve a logged on user from being able to see the other
    > user's stuff?
    >
    > I do have [homes] share enabled as I'd like to be able to access my own
    > /home folder from the Windows workstation.
    >
    > I know there are more details needed but rather than bloat the post
    > with unwanted info, just let me know what I need to post to help
    > resolve.
    >
    > Thanks!
    >
    >

    SomeSuSeUser;

    Please post the contents of /etc/samba/smb.conf. You can conceal any
    confidential information such as public IP's or Domain names with substitute
    values.
    --
    P. V.
    "We're all in this together, I'm pulling for you." Red Green

  4. #4
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Everyone sees everything -don't want that

    On 2011-03-14 05:36, SomeSuSEUser wrote:
    > 1.a. Do I need to reassign the "common users" to the alternate
    > account type in Windows ("Limited" accounts)?


    IMO, yes.

    > 1.b. IF so then what do those users lose in terms of working with
    > the system?


    Nothing.

    Nothing that they should be able to do, like installing hardware or
    software, because that is your job and prerogative, not theirs.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.2 x86_64 "Emerald" at Telcontar)

  5. #5

    Default Re: Everyone sees everything -don't want that

    Please post the contents of /etc/samba/smb.conf. You can conceal any
    confidential information such as public IP's or Domain names with substitute
    values.
    --
    P. V.

    Thanks P.V. I think you helped me set this up the first time w/ swerdna... here's what I have:
    [global]
    workgroup = JeepNet
    netbios name = Popeye
    name resolve order = bcast host lmhosts wins
    local master = yes
    preferred master = yes
    os level = 65
    passdb backend = tdbsam
    printing = cups
    printcap name = cups
    printcap cache time = 750
    cups options = raw
    load printers = yes
    use client driver = yes
    map to guest = Bad User
    server string = ""
    include = /etc/samba/dhcp.conf
    # logon path = \\%L\profiles\.msprofile
    # logon home = \\%L\%U\.9xprofile
    # logon drive = P:
    # usershare allow guests = Yes
    wins support = No
    ldap suffix =
    wins server =

    [homes]
    comment = Home Directories
    valid users = %S, %D%w%S
    browseable = No
    read only = No
    inherit acls = Yes

    ## Share disabled by YaST
    # [profiles]
    # comment = Network Profiles Service
    # path = %H
    # read only = No
    # store dos attributes = Yes
    # create mask = 0600
    # directory mask = 0700

    ## Share disabled by YaST
    # [users]
    # comment = All users
    # path = /home
    # read only = No
    # inherit acls = Yes
    # veto files = /aquota.user/groups/shares/

    [SharedFiles]
    comment = common shared files
    path = /home/Shared/
    read only = No
    force user = JeepNut
    valid users = JeepNut Lazy58
    inherit acls = Yes

    [SharedMovies]
    comment = Movies
    path = /home/JeepNut/Media/Movies/
    read only = Yes
    write list = JeepNut
    inherit acls = Yes

    [SharedMusic]
    comment = Music & more
    path = /home/JeepNut/Media/Music_&_Sounds/
    read only = Yes
    write list = JeepNut
    inherit acls = Yes

    [SharedPictures]
    comment = Pictures
    path = /home/JeepNut/Pictures/
    read only = Yes
    write list = JeepNut
    inherit acls = Yes

    [SharedVideos]
    comment = Music Videos, Youtube, TV Shows, etc.
    path = /home/JeepNut/Media/Videos/
    read only = Yes
    write list = JeepNut
    inherit acls = Yes

    [printers]
    comment = All Printers
    path = /var/tmp
    printable = Yes
    create mask = 0700
    browseable = No
    guest ok = Yes

    [print$]
    comment = Printer Drivers
    path = /var/lib/samba/drivers
    write list = @ntadmin root
    force group = ntadmin
    create mask = 0664
    directory mask = 0775

  6. #6

    Default Re: Everyone sees everything -don't want that

    Quote Originally Posted by robin_listas View Post
    On 2011-03-14 05:36, SomeSuSEUser wrote:
    > 1.a. Do I need to reassign the "common users" to the alternate
    > account type in Windows ("Limited" accounts)?


    IMO, yes.

    > 1.b. IF so then what do those users lose in terms of working with
    > the system?


    Nothing.

    Nothing that they should be able to do, like installing hardware or
    software, because that is your job and prerogative, not theirs.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.2 x86_64 "Emerald" at Telcontar)
    Thanks! This is good info.

  7. #7
    Join Date
    Nov 2009
    Location
    ND, USA
    Posts
    1,131

    Default Re: Everyone sees everything -don't want that

    On Mon March 14 2011 02:36 pm, SomeSuSEUser wrote:

    >
    > Please post the contents of /etc/samba/smb.conf. You can conceal any
    > confidential information such as public IP's or Domain names with
    > substitute
    > values.
    > --
    > P. V.
    >
    > Thanks P.V. I think you helped me set this up the first time w/
    > swerdna... here's what I have:
    > [global]
    > workgroup = JeepNet
    > netbios name = Popeye
    > name resolve order = bcast host lmhosts wins
    > local master = yes
    > preferred master = yes
    > os level = 65
    > passdb backend = tdbsam
    > printing = cups
    > printcap name = cups
    > printcap cache time = 750
    > cups options = raw
    > load printers = yes
    > use client driver = yes
    > map to guest = Bad User
    > server string = ""
    > include = /etc/samba/dhcp.conf
    > # logon path = \\%L\profiles\.msprofile
    > # logon home = \\%L\%U\.9xprofile
    > # logon drive = P:
    > # usershare allow guests = Yes
    > wins support = No
    > ldap suffix =
    > wins server =
    >
    > [homes]
    > comment = Home Directories
    > valid users = %S, %D%w%S
    > browseable = No
    > read only = No
    > inherit acls = Yes
    >
    > ## Share disabled by YaST
    > # [profiles]
    > # comment = Network Profiles Service
    > # path = %H
    > # read only = No
    > # store dos attributes = Yes
    > # create mask = 0600
    > # directory mask = 0700
    >
    > ## Share disabled by YaST
    > # [users]
    > # comment = All users
    > # path = /home
    > # read only = No
    > # inherit acls = Yes
    > # veto files = /aquota.user/groups/shares/
    >
    > [SharedFiles]
    > comment = common shared files
    > path = /home/Shared/
    > read only = No
    > force user = JeepNut
    > valid users = JeepNut Lazy58
    > inherit acls = Yes
    >
    > [SharedMovies]
    > comment = Movies
    > path = /home/JeepNut/Media/Movies/
    > read only = Yes
    > write list = JeepNut
    > inherit acls = Yes
    >
    > [SharedMusic]
    > comment = Music & more
    > path = /home/JeepNut/Media/Music_&_Sounds/
    > read only = Yes
    > write list = JeepNut
    > inherit acls = Yes
    >
    > [SharedPictures]
    > comment = Pictures
    > path = /home/JeepNut/Pictures/
    > read only = Yes
    > write list = JeepNut
    > inherit acls = Yes
    >
    > [SharedVideos]
    > comment = Music Videos, Youtube, TV Shows, etc.
    > path = /home/JeepNut/Media/Videos/
    > read only = Yes
    > write list = JeepNut
    > inherit acls = Yes
    >
    > [printers]
    > comment = All Printers
    > path = /var/tmp
    > printable = Yes
    > create mask = 0700
    > browseable = No
    > guest ok = Yes
    >
    > [print$]
    > comment = Printer Drivers
    > path = /var/lib/samba/drivers
    > write list = @ntadmin root
    > force group = ntadmin
    > create mask = 0664
    > directory mask = 0775
    >
    >

    SomeSuSEUser;

    I don't see any problems here. So let me try to get a better handle on this.

    If you connect to your opensuse 11.3 machine from a windows or Samba client,
    can you see anyone else's home directory ( other than your own)?

    If you connect to a windows machine from another machine ( Linux or Windows)
    do you see any files not shared? It is normal that any shared file is
    visible to Everyone.

    When you logon to opensuse as an ordinary user can you see the contents of
    other users /home directory? If yes this is a permission problem on /home.
    See the post by nrickert. Just Google "Linux permissions" for lots of
    information on setting permissions.

    In windows, any user in the Administrative group has permissions for all
    files. Much like the Linux root user. To limit the access of users to
    others files on the Windows machine they must be in "Limited accounts".

    Windows security increases considerably if users have a limited account and
    not an Administrator account. We insist on it for all Windows users. As
    most windows users are accustom to installing software "willy nilly" they
    often complain about this (particularly teenagers). Just eat a can of spinach
    and hold firm. You will have a lot less malware on the user's machines.

    P.S. I recall Popeye and JeepNut.
    --
    P. V.
    "We're all in this together, I'm pulling for you." Red Green

  8. #8

    Default Re: Everyone sees everything -don't want that

    Quote Originally Posted by venzkep View Post
    On Mon March 14 2011 02:36 pm,
    SomeSuSEUser;
    I don't see any problems here. So let me try to get a better handle on this.

    If you connect to your opensuse 11.3 machine from a windows or Samba client,
    can you see anyone else's home directory ( other than your own)?
    Ans: No.

    If you connect to a windows machine from another machine ( Linux or Windows)
    do you see any files not shared? It is normal that any shared file is
    visible to Everyone.
    Ans: Don't see any files on Windows box. Haven't attempted to share that direction.

    When you logon to opensuse as an ordinary user can you see the contents of
    other users /home directory? If yes this is a permission problem on /home.
    See the post by nrickert. Just Google "Linux permissions" for lots of
    information on setting permissions.
    Ans: No, but see below.

    In windows, any user in the Administrative group has permissions for all
    files. Much like the Linux root user. To limit the access of users to
    others files on the Windows machine they must be in "Limited accounts".

    Windows security increases considerably if users have a limited account and
    not an Administrator account...
    Ans. Understood, this is no longer an issue.
    @ both robin_listas and venzkep
    In answer I have edited the above considering the following permissions structure:

    /home/JeepNut drwx------
    /home/Lazy58 drwx------
    /home/Shared drwxrwx---T

    Now Lazy58 logged in and working from the Windows box can browse all files in the /home/Shared folder on the Linux box and can browse /home/Lazy58 folders on the Linux box but are restricted from any other folders.
    Close but still not good as there are folders stored under /home/JeepNut on the Linux box that I set up, intending to share. But just those folders, not everything under /home/JeepNut.

    The same condition exists for Lazy58 when logged onto the Linux box. Can browse all files in the /home/Shared folder on the Linux box and can browse /home/Lazy58 folders on the Linux box but are restricted from any other folders. Including restriced from the random shared folders under /home/JeepNut.

  9. #9
    Join Date
    Nov 2009
    Location
    ND, USA
    Posts
    1,131

    Default Re: Everyone sees everything -don't want that

    On Tue March 22 2011 11:06 pm, SomeSuSEUser wrote:

    >
    > venzkep;2304664 Wrote:
    >> On Mon March 14 2011 02:36 pm,
    >> SomeSuSEUser;
    >> I don't see any problems here. So let me try to get a better handle
    >> on this.
    >>
    >> If you connect to your opensuse 11.3 machine from a windows or Samba
    >> client,
    >> can you see anyone else's home directory ( other than your own)?
    >> Ans: No.
    >>
    >> If you connect to a windows machine from another machine ( Linux or
    >> Windows)
    >> do you see any files not shared? It is normal that any shared file is
    >> visible to Everyone.
    >> Ans: Don't see any files on Windows box. Haven't attempted to
    >> share that direction.
    >>
    >> When you logon to opensuse as an ordinary user can you see the contents
    >> of
    >> other users /home directory? If yes this is a permission problem on
    >> /home.
    >> See the post by nrickert. Just Google "Linux permissions" for lots of
    >> information on setting permissions.
    >> Ans: No, but see below.
    >>
    >> In windows, any user in the Administrative group has permissions for
    >> all
    >> files. Much like the Linux root user. To limit the access of users to
    >> others files on the Windows machine they must be in "Limited accounts".
    >>
    >> Windows security increases considerably if users have a limited account
    >> and
    >> not an Administrator account...
    >> Ans. Understood, this is no longer an issue.
    >>

    >
    > @ both robin_listas and venzkep
    > In answer I have edited the above considering the following permissions
    > structure:
    >
    > /home/JeepNut drwx------
    > /home/Lazy58 drwx------
    > /home/Shared drwxrwx---T
    >
    > Now Lazy58 logged in and working from the Windows box can browse all
    > files in the /home/Shared folder on the Linux box and can browse
    > /home/Lazy58 folders on the Linux box but are restricted from any other
    > folders.
    > Close but still not good as there are folders stored under
    > /home/JeepNut on the Linux box that I set up, intending to share. But
    > just those folders, not everything under /home/JeepNut.
    >
    > The same condition exists for Lazy58 when logged onto the Linux box.
    > Can browse all files in the /home/Shared folder on the Linux box and can
    > browse /home/Lazy58 folders on the Linux box but are restricted from any
    > other folders. Including restriced from the random shared folders under
    > /home/JeepNut.
    >
    >

    SomeSuSEUser;

    For Windows access to these shares this HowTo should work:
    http://opensuse.swerdna.org/susesimpleshares.html

    However, I think you would be ahead to just rethink the location of the files
    you wish to share and place them in a folder outside your own home directory.
    If you do not want to use the extra disk space, you could just use links to
    point to the actual files.

    There is one additional consideration here, using links. By default Samba
    will not follow links in a share but you can place this in the share section
    of /etc/samba/smb.conf to allow the server to follow links.
    Code:
    wide links = yes
    Enabling "wide links" has certain security concerns, hence you should read the
    section of man smb.conf on "wide links".
    --
    P. V.
    "We're all in this together, I'm pulling for you." Red Green

  10. #10

    Default Re: Everyone sees everything -don't want that <SOLVED>

    I'll call this solved.
    Wide Links didn't seem like what I wanted.
    So I have restructured my file layouts as suggested and this seems really to be the best solution.

    Thanks for the brainstorming!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •