I’ve created a guest user in the group “user.” I’d like to limit its read access to its own home directory. However, by navigating through File system>home it’s able to read my home directory.
I was under the impression that users were limited to their own home directories. Am I missing something, or is there a group I can assign this guest to, to limit its read access to its own home directory?
I’ve read about Pessulus (I use Gnome), but that seems to be geared toward limiting access to applications, not directories.
Ideally, I’d like to create a group that cannot navigate through any files except its own home directory. But it seems that if I try to do that, the guest user will not be able to execute any applications.
I’ve read all the posts (and other forums) I could find about creating such a limited account, but the chroot jail is beyond my understanding. I get the feeling that it’s geared toward networks.
They are limited to only reading the home directory not writing.
And by default an user can’t read/write into someone else his Documents folder.
This won’t work because by default a users home directory is set to viewable for user from the same group and other groups.
You can see this by right-clicking on a home folder and look at the file-permissions.
What you can do is change the file-permissions of someone’s home folder.
You need to change it so that the user self can read/write his home folder, users from the same group can read, and others can’t read or write.
AFAIK there’s an option in KDE to let changes automatically apply to sub-folders/files.
Because the default is often that files are created by users to be readable by users of the same group (and most users are to lazy to look after their security). When you create a new user (why do you call him/her “guest user”, it is just another user) within the same group you get what you see.
I guess that you (and your family) have now all users belonging to the group users. When this new user should have less access to the files of the group users, create him in a (new) group.
And of course, as long as users (including you) create files world readable, (s)he still can read them. Maybe you should think a bit about security and how to set your umask or rstrict actively access to your files.
You look at it from the wrong direction, rights to read and write are file
properties not in the first place user properties.
To make it more clear: Completely independent of the groups you assign to a
user this user can always read the files where the read is allowed for
everyone.
By default the settings for a home directory look something like this
the last r to the right says read allowed for everyone (but not write).
You need to change the attributes of the files/directories you want to hide
not the “attributes” of the user.
chmod -R og-r martinh
would recursively make the the home directory martinh unreadable for
everyone except martinh.
Be carefull with system directories otherwise the user can no longer work or
run anything.
–
openSUSE 11.2 64 bit | Intel Core2 Quad Q8300@2.50GHz | Gnome 2.28 | GeForce
9600 GT | 4GB Ram
openSUSE 11.3 64 bit | Intel Core2 Duo T9300@2.50GHz | Gnome 2.30 | Quadro
FX 3600M | 4GB Ram
On 2010-09-17 20:36, xpacker wrote:
>
> I’ve created a guest user in the group “user.” I’d like to limit its
> read access to its own home directory. However, by navigating through
> File system>home it’s able to read my home directory.
Yes, that’s the default. Home directories are readable by users belonging to the “user” group.
> I was under the impression that users were limited to their own home
> directories. Am I missing something, or is there a group I can assign
> this guest to, to limit its read access to its own home directory?
You can create a new group, be it a common group for several guest users, or for each guest user.
Then assign the guest user to this group by default. You may have to switch the properties of each
existing file and directory for that user.
As nobody else belongs to this group, that user will not be able to get outside. Watch: don’t let it
belong to the users group as well.
Ie: look at the entry for that user in /etc/passwd:
Check also the following easy to understand links for a slightly more
descriptive explanation about user rights, file attributes and groups and
the umask
Thanks, everyone, for all your suggestions and hints. I really appreciate the gentle coaching to re-think my process altogether. Now that I’ve overcome my mental block, I’m understanding how powerful and specific the Linux way of setting permissions is. Here’s what I came up with:
Using YAST, I created a group “guests” and assigned my guest account to this group, removing it from the general “user” group.
I used chmod to assign new permissions for the “user” group – basically for my family members. I wanted us to be able to read and execute each other’s files, but hide them from the guest. $ chmod -R 750 /home/familyusername
I used chmod to make the guest’s home directory completely accessible and writable by everyone else. $ chmod -R 777 /home/guest
Then using umask, I set new defaults for any future files created by the “user” group. I wanted them to be accessible to family members (we share a data partition), but hidden from the guest. So I went into each family member’s login id, then $ umask 007
To make any files created by the guest completely accessible by everyone else, I went into the guest account and $ umask 000
I hope this helps anyone else trying to create a guest account. My aim is to allow houseguests to use my computer, without any fear that they’ll accidentally get into private files. I want the guests to be able to create any files they may need, but I also want to make it easy for me to delete them afterward. Since they need the root password to write anywhere but their home directory, this seems a pretty safe setup.
On second thought, I’d better make the future “user”-created files only readable and executable by other members of the “user” group – not deletable by them. So I think that #4 above should be $ umask 027
I may not understand this command perfectly, so others please correct me if this is an error.
So it is definitely completely accessible and writable by the whole world.
You could also use chmod -R 770 to restrict the access to members of the “guests” group and add yourself or others to that group with:
**usermod -A guests username ** username being the login name of the user you want to add, i.e yourself and your family members. It is safer but it’s up to you.
You can also place the sticky bit on /home/guests, so your guests can create files but won’t be allowed to delete or overwrite files created by other guests. That’s usually what you would use on public directories. chmod 1770 /home/guests
...
# The default group for users
# 1000=users on Debian systems
# same then USERS_GID in adduser
# Please be aware that Debian's adduser defaults to "user groups"
# which means that one group is created for each user
# There is no way to achieve this with useradd which must remains a low
# level utility
# GROUP=100
...
Hmmmmm–these are very good points. Carlos is correct – I do trust my friends’ intentions. However, just playing around, they could accidentally do something I don’t want. I suppose I could do the $ chmod -R 770 /home/guest – since I have the password anyway. I can clean out the directory, or even delete the account altogether to clear out the activity.
But I like the idea of a chrooted home the best. Is there any noob-friendly documentation on doing this? I’ve searched, but I never found a source that I could understand very clearly.
On 2010-09-18 21:06, xpacker wrote:
>
>> So it is definitely completely accessible and writable by the whole
>> world.
>
> Hmmmm–good point. I hadn’t thought that through carefully.
>
>> You could also use chmod -R 770 to restrict the access to members of
>> the “guests” group and add yourself or others to that group with:
>> USERMOD -A GUESTS -USERNAME-
>> -username- being the login name of the user you want to add, i.e
>> yourself and your family members. It is safer but it’s up to you.
>
> Now, if I add my family members to the “guests” group, does that mean
> that the user “guest” is part of a group that can read/execute in our
> home directories?
No, it means that members of group “guests” (ie, you, your family) can access the “guest” user files.
Thanks for the clarification, Carlos. I was under the impression that “group” specified by user/group/others meant all the groups, not just the default group. This is exactly what I want: read/execute access between family members, but the guest account has no access to our home directories.
May I be a little bit more precise? It is not “the default group”. It is the group that owns the file. E.g.:
henk@boven:~> ls -ld Mail
drwx-w---- 11 henk wij 4096 sep 21 10:19 Mail
henk@boven:~>
shows you a directory Mail where user henk is owner and group wij is the owning group.
. User henk may read, write and search in the directory;
. All members of group wij (either if that is their default group at login or when they are allowed to change to that group and have done so) may write to the directory (writing to a directory means e.g. deleting files in there);
. All others are denied any access.
Thanks, Henk. I understand it little more now. I have heard of the chown command but never used it myself. I’ll have to read more about ownership now. Thanks!
You are welcome. The learning curve is quite steep and in fact, when one starts using Unix/Linux there are to many subjects you want to understand at once. But when you have some spare time, just tae a subject (like this ownership/acess right thing) and strat to find info. It helps and you will enjoy it.
On 2010-09-21 16:46, hcvv wrote:
>
> May I be a little bit more precise? It is not “the default group”. It
> is the group that owns the file. E.g.:
Maybe I’ll add a bit more.
If I used the term “default group” I meant that every user belongs to a… I’m not sure what to call
it, a “default group”, plus a list of groups. The first one is the one listed in the passwd line for
that user:
and the list of other groups is handled in the group file by listing users that belong to each group.
What is different about the “default group”? That when a user creates a file, it belongs to that
user and to the “default group”.
In this case, make sure that the guest user is not listed as belonging to the “users” group, or it
will have access to your “homes”. It is easy to do, but it is also easy to forget if somebody else
is doing maintenance, or a year later. One thing that is missing in the passwd and group files is a
field for comments.
–
Cheers / Saludos,
Carlos E. R.
(from 11.2 x86_64 “Emerald” GM (Elessar))
