RE: [SLE] complex acl (in my opinion anyway...) question
Isn't this what a chroot jail is meant for? I don't know too much about it, but Google produces many hits on "Linux FTP chroot jail" so maybe it's worth checking out. yep, i know. But that's only for ONE directory plus and everything below it. (if I'm correct)
I want users to be able to cd into /homes and below AND to some directories in /srv and all the other directories on the system should be "access denied". As I see it now, a regular user can cd into lot's of dirs, and even read lot's of files, just usually not _alter_ them. My filesystem is xfs, so it supports acl's. Is there a kind of DENY acl that I can put on all directories, other than these two? (so all users in that group would get access denied when trying to cd into other dirs than /home and /srv) All solutions I've read to far seem to do something of the kind, but not _exactly_ this. Perhaps it is simply impossible? Thanks very much for reading this post. mj
Heupink, Mourik Jan C. wrote:
Isn't this what a chroot jail is meant for? I don't know too much about it, but Google produces many hits on "Linux FTP chroot jail" so maybe it's worth checking out. yep, i know. But that's only for ONE directory plus and everything below it. (if I'm correct)
I want users to be able to cd into /homes and below AND to some directories in /srv and all the other directories on the system should be "access denied".
As I see it now, a regular user can cd into lot's of dirs, and even read lot's of files, just usually not _alter_ them.
My filesystem is xfs, so it supports acl's. Is there a kind of DENY acl that I can put on all directories, other than these two? (so all users in that group would get access denied when trying to cd into other dirs than /home and /srv)
All solutions I've read to far seem to do something of the kind, but not _exactly_ this. Perhaps it is simply impossible?
Thanks very much for reading this post.
mj
There's not a DENY acl. acl's just let you do extra user and group stuff. Regular unix permissions let you control access for owner (u), owning group (g), and everyone else (o). With acl's you can name other users and groups so you could control access for the owner, owning group, user joedoe, group webguys,..., and everyone else. Sounds like what you want to do can be accomplished with plain old unix permissions. myhost:/ # ls -ld home drwx--x--- 5 root users 120 Jan 12 14:37 home myhost:/ # ls -ld home/* drwx------ 7 bogus users 536 Jan 12 14:43 home/bogus drwx------ 2 mbacal users 48 Jan 12 14:31 home/mbacal drwx------ 2 mstmcal users 48 Jan 12 14:31 home/mstmcal myhost:/ # su bogus bogus@myhost:/> ls -l home /bin/ls: home: Permission denied bogus@myhost:/> ls -l home/mbacal /bin/ls: home/mbacal: Permission denied bogus@myhost:/> ls -l home/mstmcal /bin/ls: home/mstmcal: Permission denied bogus@myhost:/> ls -l home/bogus total 0 drwx------ 2 bogus users 80 Jan 12 14:40 Documents drwx------ 2 bogus users 48 Jan 12 14:40 bin drwx------ 2 bogus users 80 Jan 12 14:40 public_html bogus@myhost:/> cd home/mstmcal bash: cd: home/mstmcal: Permission denied bogus@myhost:/> cd home bogus@myhost:/home> ls /bin/ls: .: Permission denied bogus@myhost:/home> cd bogus bogus@myhost:/home/bogus> ls Documents bin public_html In this case no user can see the contents of home or of directories under home. However any member of the users group can pass through home to get to their own directory. As far as setting permissions outside of home, take a look at /etc/permissions. I usually use secure but paranoid may be what you want. I tried it once long ago and I seem to remember by desktop being virtually unusable by anyone other than root. You can define your own settings too. Jason Joines ================================
participants (2)
-
Heupink, Mourik Jan C.
-
Jason Joines