Custom File Permissions - HELP

[jovisuk]

Hi,

I've been customising the file system on my B3 and wanted to have a directory where the company files can be stored, but only accessible by certain users, so . . .

I have created 3 groups:

groupadd boss
groupadd office
groupadd employee

Then added each employee to their respective groups:

usermod -G boss,office,employee USERNAME

and so on, then have changed permissions on the folders:

chgrp -R boss /home/COMPANY/Level_One
chgrp -R office /home/COMPANY/Level_Two
chgrp -R employee /home/COMPANY/Level_Three

Then set permissions:

chmod -R 770 /home/COMPANY/

But for some reason I am unable to access the folder as any user at the moment, other than root?

Here is my code showing the groups and permissions, I'm unsure where I've gone wrong? Any idea's anyone?

Groups Installed:

root@main-bubba:/etc# more group
root0:
daemon1:
bin2:
sys3:
adm4:
tty5:
disk6:
lp7:
mail8:
news9:
uucp10:
man12:
proxy13:
kmem15:
dialout20:
fax21:
voice22:
cdrom24:
floppy25:
tape26:
sudo27:
audio29:
dip30:
www-data33:
backup34:
operator37:
list38:
irc39:
src40:
gnats41:
shadow42:
utmp43:
video44:
sasl45:
plugdev46:
staff50:
games60:
users100:admin
nogroup65534:
libuuid101:
crontab102:
mysql103:
ssl-cert104:
postfix105:
postdrop106:
mediatomb107:
ntp108:
dovecot109:
lpadmin110:
ssh111:
messagebus112:
avahi113:
netdev114:
sambashare115:
admin1000:
boss1001:chrisward,stevespicer
employee1002:chrisward,stevespicer,lauramorrison,tomstephens,lukestephens,joe
henstridge
office1003:chrisward,stevespicer,lauramorrison,joehenstridge

Permissions Print Outs:

root@main-bubba:/etc# ls -l /home
total 60
drwxrwx--- 5 root root 4096 Nov 9 16:43 COMPANY
drwxr-xr-x 2 admin admin 4096 Jan 20 2000 admin
drwxr-xr-x 4 chrisward users 4096 Nov 9 11:28 chrisward
drwxr-xr-x 5 joehenstridge users 4096 Nov 9 12:43 joehenstridge
drwxr-xr-x 4 lauramorrison users 4096 Nov 9 11:28 lauramorrison
drwxr-xr-x 2 root root 16384 Jan 20 2000 lost+found
drwxr-xr-x 4 lukestephens users 4096 Nov 9 11:29 lukestephens
drwxr-xr-x 7 main-user users 4096 Nov 5 19:52 main-user
drwxr-xr-x 4 stevespicer users 4096 Nov 9 11:28 stevespicer
drwxr-sr-x 10 root users 4096 Nov 8 22:56 storage
drwxr-xr-x 4 tomstephens users 4096 Nov 9 11:29 tomstephens
drwxr-sr-x 2 root users 4096 Jan 20 2000 web

root@main-bubba:~# ls -l /home/COMPANY
total 12
drwxrwx--- 2 root boss 4096 Nov 9 16:42 Level_One
drwxrwx--- 2 root employee 4096 Nov 9 16:43 Level_Three
drwxrwx--- 2 root office 4096 Nov 9 16:42 Level_Two
root@main-bubba:~#

[RandomUsername]

How are you trying to access the folders e.g. Samba, ssh etc?

[Ubi]

exactly. One trick is to go to a folder (any folder) where you can write, and insert a new file. Then look at the exact owner and group of that file to see what your effective uid is. samba has the tendency to not properly match windows usernames to unix usernames

ubi

[jovisuk]

I'm trying to access the folder through Windows Explorer, will create a file in a folder I can access then check permissions and post.

[jovisuk]

Have created a file called created1445.txt in Windows Explorer as user chrisward, in the folder chrisward - the user chrisward has been put in group "boss" so should be able to access COMPANY/Level_One but cannot even get into COMPANY

Am I right in thinking the problem is that the COMPANY folder has root and root as it's access, not root and users?

I could be wrong, just hazarding a guess - any help is very much appreciated:

root@main-bubba:/home/main-user# cd
root@main-bubba:~# cd /home
root@main-bubba:/home# ls -l
total 60
drwxrwx--- 5 root root 4096 Nov 9 16:43 COMPANY
drwxr-xr-x 2 admin admin 4096 Jan 20 2000 admin
drwxr-xr-x 4 chrisward users 4096 Nov 10 14:45 chrisward
drwxr-xr-x 5 joehenstridge users 4096 Nov 9 12:43 joehenstridge
drwxr-xr-x 4 lauramorrison users 4096 Nov 9 11:28 lauramorrison
drwxr-xr-x 2 root root 16384 Jan 20 2000 lost+found
drwxr-xr-x 4 lukestephens users 4096 Nov 9 11:29 lukestephens
drwxr-xr-x 7 main-user users 4096 Nov 5 19:52 main-user
drwxr-xr-x 4 stevespicer users 4096 Nov 9 11:28 stevespicer
drwxr-sr-x 10 root users 4096 Nov 8 22:56 storage
drwxr-xr-x 4 tomstephens users 4096 Nov 9 11:29 tomstephens
drwxr-sr-x 2 root users 4096 Jan 20 2000 web
root@main-bubba:/home# cd chrisward
root@main-bubba:/home/chrisward# ls -l
total 8
-rwxrw-r-- 1 chrisward users 0 Nov 10 14:45 created1445.txt
drwxr-xr-x 2 chrisward users 4096 Sep 13 11:47 downloads
drwxr-xr-x 2 chrisward users 4096 Sep 13 11:47 torrents
root@main-bubba:/home/chrisward#

[RandomUsername]

That could be it. The command to change the group is chgrp.

[jovisuk]

Ok, so after changing the group of the COMPANY folder to users:

chgrp -R users /home/COMPANY/

Now all users have all access to this folder and the three folders within here - I wanted to restrict access to the three folders inside here so that:

/home/COMPANY/Level_One - has only access for group - boss
/home/COMPANY/Level_Two - has only access for group - office
/home/COMPANY/Level_Three - has only access for group - employee

As I've changed the group of the COMPANY folder do I need to repeat this procedure (It was sent to me by an Excito Support Rep after I asked for a way to restrict access to certain folders for certain users):


1. Log in via SSH and become root:
http://wiki.excito.org/wiki/index.php/T ... er_via_SSH

2. Add the group boss, issue the command: groupadd boss

3. Add the group employee, issue the command: groupadd employee

4. On an already existing bubba user (here Kalle), add the user to the
desired groups: usermod -G boss,employee kalle

5. On an already existing bubba user (here Anna), add the user to the
desired groups: usermod -G employee anna

6. Now you have to change the permissions on the folders (already
existing): chgrp -R boss /home/company_folder/only_for_boss_folder/

and

chgrp -R employee /home/company_folder/for_everybody/

7. To set the correct permissions on the folders: chmod -R 770
/home/company_folder/

[jovisuk]

Solved it, I looked at permissions within the folder COMPANY:

root@main-bubba:/home/COMPANY# ls -l
total 12
drwxrwx--- 2 root users 4096 Nov 10 15:47 Level_One
drwxrwx--- 2 root users 4096 Nov 9 16:43 Level_Three
drwxrwx--- 2 root users 4096 Nov 9 16:42 Level_Two

Then changed permissions on the individual folders:

root@main-bubba:/home/COMPANY# cd
root@main-bubba:~# chgrp -R boss /home/COMPANY/Level_One
root@main-bubba:~# chgrp -R office /home/COMPANY/Level_Two
root@main-bubba:~# chgrp -R employee /home/COMPANY/Level_Three
root@main-bubba:~# cd /home

Then, re-checked permissions:

root@main-bubba:/home# ls -l
total 60
drwxrwx--- 5 root users 4096 Nov 9 16:43 COMPANY
drwxr-xr-x 2 admin admin 4096 Jan 20 2000 admin
drwxr-xr-x 4 chrisward users 4096 Nov 10 15:40 chrisward
drwxr-xr-x 5 joehenstridge users 4096 Nov 9 12:43 joehenstridge
drwxr-xr-x 4 lauramorrison users 4096 Nov 9 11:28 lauramorrison
drwxr-xr-x 2 root root 16384 Jan 20 2000 lost+found
drwxr-xr-x 4 lukestephens users 4096 Nov 9 11:29 lukestephens
drwxr-xr-x 7 main-user users 4096 Nov 5 19:52 main-user
drwxr-xr-x 4 stevespicer users 4096 Nov 9 11:28 stevespicer
drwxr-sr-x 10 root users 4096 Nov 8 22:56 storage
drwxr-xr-x 4 tomstephens users 4096 Nov 9 11:29 tomstephens
drwxr-sr-x 2 root users 4096 Jan 20 2000 web
root@main-bubba:/home# cd COMPANY
root@main-bubba:/home/COMPANY# ls -l
total 12
drwxrwx--- 2 root boss 4096 Nov 10 15:47 Level_One
drwxrwx--- 2 root employee 4096 Nov 9 16:43 Level_Three
drwxrwx--- 2 root office 4096 Nov 9 16:42 Level_Two
root@main-bubba:/home/COMPANY#

Now I have tested it with two users, one with full access in group "boss" and one with restricted access of group "office" and it is working.

Thanks for the help guys!

[Ubi]

I would tend to make the COMPANY folder non-writable to the user population or they start putting data there instead of one level deeper

Code: Select all

chmod g-w /home/COMPANY