[opensuse] rights for new user, a small problem of understanding...
Hi, I'll give access to my computers to another person with her own new user. I see, that this user can see many or most of my files (read only), but I want that she can only see her own files. How can I achieve that? Do I have to change all the rights of my files? How do I do that safely (without causing problems to programs etc.)? How do I achieve that new files automatically are readable only by me (and root)? Thanks for your help! Daniel -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
In data giovedì 26 gennaio 2017 18:26:45, Daniel Bauer ha scritto:
Hi,
I'll give access to my computers to another person with her own new user.
I see, that this user can see many or most of my files (read only), but I want that she can only see her own files.
How can I achieve that? Do I have to change all the rights of my files? How do I do that safely (without causing problems to programs etc.)? How do I achieve that new files automatically are readable only by me (and root)?
Thanks for your help!
Daniel I think what you want is to set in users the umask value to 077. This means all users will have access only to their own directory. Now this is for new users. If the guest user should not see your existing user and you do not want to run chown with the appropriate rights (attention these are totally different from usmask values) then you can achieve this as follows: you go to yast, security and users. There to user and group management. There you go in the tag default for new user. You set umask to 077. Then you go to the user tag and say: write these changes immediately. Make sure the user you want to handle is offline / not logged in. The you erase the user you want to privatise. He ask you if you want also to erase the home directory of that user. You say NO! You write the changes. You recreate the user with exactly the same name. It tells you: an account with that name does already exist. Do you want to take ownership. You say YES. You write the changes. Now, from the user you are in, you should not be able to see or to access the /home of the one you come from changing permissions.
Normally you do this with chown but if you want to avoid the command line this is the easy way. As usual I departure by the idea that you have a valid backup when you make changes. It is possible that you have to restart the system for all changes to be applied. I do not recall to be honest. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/26/2017 9:52 AM, stakanov wrote:
In data gioved� 26 gennaio 2017 18:26:45, Daniel Bauer ha scritto:
Hi,
I'll give access to my computers to another person with her own new user.
I see, that this user can see many or most of my files (read only), but I want that she can only see her own files.
How can I achieve that? Do I have to change all the rights of my files? How do I do that safely (without causing problems to programs etc.)? How do I achieve that new files automatically are readable only by me (and root)?
Thanks for your help!
Daniel I think what you want is to set in users the umask value to 077. This means all users will have access only to their own directory. Now this is for new users. If the guest user should not see your existing user and you do not want to run chown with the appropriate rights (attention these are totally different from usmask values) then you can achieve this as follows: you go to yast, security and users. There to user and group management. There you go in the tag default for new user. You set umask to 077. Then you go to the user tag and say: write these changes immediately. Make sure the user you want to handle is offline / not logged in. The you erase the user you want to privatise. He ask you if you want also to erase the home directory of that user. You say NO! You write the changes. You recreate the user with exactly the same name.
User name? Are you sure you want to do this? The important thing to maintain is userid which is probably 1000 if Danial is the first user. Change to /home/danial type man chmod and read how you make recursive. Or launch Dolphin and do it graphically by selecting Dan's dir and change permissions recursively. (Root can access anything - so no worries there). Do this with Dan's credentials (sign-in, not by root).
It tells you: an account with that name does already exist. Do you want to take ownership. You say YES. You write the changes.
You've probably changed userid at this point. May not want to do that. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
In data giovedì 26 gennaio 2017 11:04:55, John Andersen ha scritto:
On 01/26/2017 9:52 AM, stakanov wrote:
In data gioved� 26 gennaio 2017 18:26:45, Daniel Bauer ha scritto:
Hi,
I'll give access to my computers to another person with her own new user.
I see, that this user can see many or most of my files (read only), but I want that she can only see her own files.
How can I achieve that? Do I have to change all the rights of my files? How do I do that safely (without causing problems to programs etc.)? How do I achieve that new files automatically are readable only by me (and root)?
Thanks for your help!
Daniel
I think what you want is to set in users the umask value to 077. This means all users will have access only to their own directory. Now this is for new users. If the guest user should not see your existing user and you do not want to run chown with the appropriate rights (attention these are totally different from usmask values) then you can achieve this as follows: you go to yast, security and users. There to user and group management. There you go in the tag default for new user. You set umask to 077. Then you go to the user tag and say: write these changes immediately. Make sure the user you want to handle is offline / not logged in. The you erase the user you want to privatise. He ask you if you want also to erase the home directory of that user. You say NO! You write the changes. You recreate the user with exactly the same name.
User name? Are you sure you want to do this?
The important thing to maintain is userid which is probably 1000 if Danial is the first user.
Change to /home/danial
type man chmod and read how you make recursive. Or launch Dolphin and do it graphically by selecting Dan's dir and change permissions recursively. (Root can access anything - so no worries there). Do this with Dan's credentials (sign-in, not by root).
It tells you: an account with that name does already exist. Do you want to take ownership. You say YES. You write the changes.
You've probably changed userid at this point. May not want to do that.
I do not think he has more than two users on that machine. The usernumber changes only if in the meantime another new user is registered. And I hope not on a laptop. If not the user takes up the freed up usernumber he had before. At leas on my system it does. All depends wheather he has a local system or not. If not I would guess he uses chmod -R userinquestion:groupinquestion /home/userinquestion -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
stakanov composed on 2017-01-26 20:19 (UTC+0100):
I do not think he has more than two users on that machine. The usernumber changes only if in the meantime another new user is registered. And I hope not on a laptop. If not the user takes up the freed up usernumber he had before. At leas on my system it does. All depends wheather he has a local system or not.
Check the useradd man page and you'll see the -u option to create any unique number; same for -g and groupadd. IOW, new user and/or group could be 2000 or 8219 (little endian 1982 birth year) or 1992 (big endian birth year). -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 26/01/17 19:19, stakanov wrote:
I do not think he has more than two users on that machine. The usernumber changes only if in the meantime another new user is registered. And I hope not on a laptop. If not the user takes up the freed up usernumber he had before. At leas on my system it does.
I think your last sentence is telling - "At leas on my system it does". His system is not your system. User numbers should NOT be re-used. Any "properly" configured system should refuse to re-use a number unless explicitly told to. Cheers, Wol -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 26/01/17 17:26, Daniel Bauer wrote:
Hi,
I'll give access to my computers to another person with her own new user.
I see, that this user can see many or most of my files (read only), but I want that she can only see her own files.
How can I achieve that? Do I have to change all the rights of my files? How do I do that safely (without causing problems to programs etc.)? How do I achieve that new files automatically are readable only by me (and root)?
This is a simple groups problem. Most systems have a group called "users", and they default to either (a) all users belong to the "users" group, or all users belong to the "username" group (ie a user called "daniel" will belong to a group called "daniel". Your system defaults to putting all users in "users". In this situation, let's assume your new user is called "sally". Create a group "sally", and put her in that deleting her from the group "users". Now she will only be able to see her files, not yours. This isn't the best solution, but the best in the current circumstance, because you will keep having to do this - it would have been better if it had been the default from the get-go - any new user by default will be able to see your files. The alternative is to do that to yourself - create a group "daniel", make that your default group, and chown all your files to "daniel:daniel", but that's a lot more hassle. (The first option changes *her* so she can't see your files, a simple job. The second changes *you* so she can't see your files, a lot more work and error prone.) Cheers, Wol -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/26/2017 01:34 PM, Wols Lists wrote:
On 26/01/17 17:26, Daniel Bauer wrote:
Hi,
I'll give access to my computers to another person with her own new user.
I see, that this user can see many or most of my files (read only), but I want that she can only see her own files.
How can I achieve that? Do I have to change all the rights of my files? How do I do that safely (without causing problems to programs etc.)? How do I achieve that new files automatically are readable only by me (and root)?
This is a simple groups problem. Most systems have a group called "users", and they default to either (a) all users belong to the "users" group, or all users belong to the "username" group (ie a user called "daniel" will belong to a group called "daniel". Your system defaults to putting all users in "users".
In this situation, let's assume your new user is called "sally". Create a group "sally", and put her in that deleting her from the group "users". Now she will only be able to see her files, not yours. This isn't the best solution, but the best in the current circumstance, because you will keep having to do this - it would have been better if it had been the default from the get-go - any new user by default will be able to see your files.
The alternative is to do that to yourself - create a group "daniel", make that your default group, and chown all your files to "daniel:daniel", but that's a lot more hassle.
(The first option changes *her* so she can't see your files, a simple job. The second changes *you* so she can't see your files, a lot more work and error prone.)
Groups are a wonderful and simple access control mechanism that with a little thought can deal with most situations. You just need to understand 'set thory' which is the high-faluting term for what you learnt at school drawing circles that are called called Venn Diagrams. Draw three circles, one for you, one for sally' and one you label. perhaps. 'george'. Look where they overlap. Groups are cheap, create more as you need. Create labels. You should have one for each user and perhaps make the default setting, as Wol says, specific to each user. That is the most protectionist. Then you can 'share files, by making them group readable, or perhaps writeable, for the group belonging to those overlap areas. http://www.presentation-process.com/wp-content/uploads/hexagon-venn-diagram.... Of course you can create more 'complex' overlaps. http://www.presentation-process.com/wp-content/uploads/circle-powerpoint-ven... http://2.bp.blogspot.com/_VhdC-5Gg7Ok/S_DIfpdBpbI/AAAAAAAAADs/llWoPG8L7uU/s1... https://conceptdraw.com/a2059c3/p7/preview/640/pict--4-set-venn-diagram-venn... In practice, there is a limit to what you can do with a sheet of paper, though the mathematics behind this is indefinitely extensible. Doing it might damage your brain. At some point, regardless of the fact that it CAN be done with groups, you can't understand it enough to use it, and adopt another method. This is called Role Based Access Control. Its pretty cool and easily managed for large groups of people. But you need large groups, perhaps a full multi-tiered corporate setting with plenty of job descriptions and so on in order to see how effective it can be. If you're a big enough organization to need it then you definitely need it. What sets the criteria isn't so much the number of people as the number of differentiated roles. I once worked at a shop where there were 140 programmers. Despite the number of projects active and archived there was no reason for more than 5 groups beyond one per programmer and the 'system' ones that come with the distribution like 'lp', 'bin', 'sys', 'daemon', and so on. The basic rule is: Keep it manageable and understandable. Oh, and document it and its purpose. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 26.01.2017 um 20:15 schrieb Anton Aylward:
On 01/26/2017 01:34 PM, Wols Lists wrote:
On 26/01/17 17:26, Daniel Bauer wrote:
Hi,
I'll give access to my computers to another person with her own new user.
I see, that this user can see many or most of my files (read only), but I want that she can only see her own files.
How can I achieve that? Do I have to change all the rights of my files? How do I do that safely (without causing problems to programs etc.)? How do I achieve that new files automatically are readable only by me (and root)?
This is a simple groups problem. Most systems have a group called "users", and they default to either (a) all users belong to the "users" group, or all users belong to the "username" group (ie a user called "daniel" will belong to a group called "daniel". Your system defaults to putting all users in "users".
In this situation, let's assume your new user is called "sally". Create a group "sally", and put her in that deleting her from the group "users". Now she will only be able to see her files, not yours. This isn't the best solution, but the best in the current circumstance, because you will keep having to do this - it would have been better if it had been the default from the get-go - any new user by default will be able to see your files.
The alternative is to do that to yourself - create a group "daniel", make that your default group, and chown all your files to "daniel:daniel", but that's a lot more hassle.
(The first option changes *her* so she can't see your files, a simple job. The second changes *you* so she can't see your files, a lot more work and error prone.)
Groups are a wonderful and simple access control mechanism that with a little thought can deal with most situations. You just need to understand 'set thory' which is the high-faluting term for what you learnt at school drawing circles that are called called Venn Diagrams. Draw three circles, one for you, one for sally' and one you label. perhaps. 'george'. Look where they overlap.
Groups are cheap, create more as you need. Create labels. You should have one for each user and perhaps make the default setting, as Wol says, specific to each user. That is the most protectionist. Then you can 'share files, by making them group readable, or perhaps writeable, for the group belonging to those overlap areas. http://www.presentation-process.com/wp-content/uploads/hexagon-venn-diagram....
Of course you can create more 'complex' overlaps. http://www.presentation-process.com/wp-content/uploads/circle-powerpoint-ven... http://2.bp.blogspot.com/_VhdC-5Gg7Ok/S_DIfpdBpbI/AAAAAAAAADs/llWoPG8L7uU/s1... https://conceptdraw.com/a2059c3/p7/preview/640/pict--4-set-venn-diagram-venn...
In practice, there is a limit to what you can do with a sheet of paper, though the mathematics behind this is indefinitely extensible. Doing it might damage your brain.
At some point, regardless of the fact that it CAN be done with groups, you can't understand it enough to use it, and adopt another method. This is called Role Based Access Control. Its pretty cool and easily managed for large groups of people. But you need large groups, perhaps a full multi-tiered corporate setting with plenty of job descriptions and so on in order to see how effective it can be. If you're a big enough organization to need it then you definitely need it. What sets the criteria isn't so much the number of people as the number of differentiated roles. I once worked at a shop where there were 140 programmers. Despite the number of projects active and archived there was no reason for more than 5 groups beyond one per programmer and the 'system' ones that come with the distribution like 'lp', 'bin', 'sys', 'daemon', and so on.
The basic rule is: Keep it manageable and understandable.
Oh, and document it and its purpose.
Thanks for the various inputs! Actually, after googling, i typed the following: sudo chmod 0700 /home/daniel with a short test the new user cannot see anything of my home anymore. But of course, I am not sure if this was intelligent, because of the answers here that are much more complex... It is a laptop and a desktop. On both only one user 1000 daniel existed. On the laptop I made a new one with Yast which is 1001. I guess, the problem is solved that way. If not *please* correct me. Thanks Daniel -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Daniel Bauer wrote:
Thanks for the various inputs!
Actually, after googling, i typed the following:
sudo chmod 0700 /home/daniel
...
I guess, the problem is solved that way. If not *please* correct me.
=== It probably is. In your example above, counting the digits as 0, 1, 2 and 3, The '1' place is your user-id's access, 2=group access and 3=other. I had suggested using g-rwx,o-rwx, which effectively sets digits 2 and 3 to '0' like you have. The only difference is that setting your own access to '7' might have the accidental effect of making some extra files 'executable' (like making text or other documents executable). In practice, this shouldn't be harmful, so I wouldn't worry about it too much... but for the future, remember the symbolic forms of g-rwx and o-rwx. Of note: NEW files that you create will **likely** have more open permissions. That's determined by the "umask" value that can automatically remove permissions on newly created files (or directories). You can see your current umask value by typing 'umask' (as you). It is likely something like 0022, (meaning group and 'other' can't write to your stuff), _or_ 0027 (meaning group can't write and 'other' has all access *blocked* (in the mask, they are permissions that are *removed*) -- they 'mask' off the corresponding permissions. If you don't want people in the same group to be able to read or execute your files, then you probably want to look in your ".bash_profile" and ".bashrc" to see if there are any existing 'umask' statements (ex. umask 022 or umask <somenumber> on a line by itself). Change those to say "umask 77" -- or, if you don't see a umask statement, add the "umask 77" (umask doesn't need the leading zeros) at the end of your ".bash_profile" (or at the end of ".bashrc" if you are more paranoid). That will set your user-id's *default* mask to turn off all access to others as well as those in your group. Hope I didn't add anything confusing... ;-) -linda -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 26.01.2017 um 21:15 schrieb L A Walsh:
Daniel Bauer wrote:
Thanks for the various inputs!
Actually, after googling, i typed the following:
sudo chmod 0700 /home/daniel
...
I guess, the problem is solved that way. If not *please* correct me.
=== It probably is.
In your example above, counting the digits as 0, 1, 2 and 3, The '1' place is your user-id's access, 2=group access and 3=other.
I had suggested using g-rwx,o-rwx, which effectively sets digits 2 and 3 to '0' like you have. The only difference is that setting your own access to '7' might have the accidental effect of making some extra files 'executable' (like making text or other documents executable). In practice, this shouldn't be harmful, so I wouldn't worry about it too much... but for the future, remember the symbolic forms of g-rwx and o-rwx.
As much as I can see /only/ the directory /home/daniel was affected and all the subdirectories and files in it seem to have the same rights as before (actually this is what I hoped :-) ). When I login as the new user I can see in dolphin that there is a folder daniel in home, but I cannot access it. I can also not access for example /home/daniel/Desktop (which shows in dolphin drwxr-xr-x) nor the file /home/daniel/Desktop/text.txt (-rw-rw-rw-). So it looks to me, that everything within home/daniel (drwx------) is save, and the umask thing is not necessary. ??? Or am I just not enough a hacker? ..
-linda
-- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 26/01/17 22:02, Daniel Bauer wrote:
Am 26.01.2017 um 21:15 schrieb L A Walsh:
Daniel Bauer wrote:
Thanks for the various inputs!
Actually, after googling, i typed the following:
sudo chmod 0700 /home/daniel
...
I guess, the problem is solved that way. If not *please* correct me.
=== It probably is.
In your example above, counting the digits as 0, 1, 2 and 3, The '1' place is your user-id's access, 2=group access and 3=other.
I had suggested using g-rwx,o-rwx, which effectively sets digits 2 and 3 to '0' like you have. The only difference is that setting your own access to '7' might have the accidental effect of making some extra files 'executable' (like making text or other documents executable). In practice, this shouldn't be harmful, so I wouldn't worry about it too much... but for the future, remember the symbolic forms of g-rwx and o-rwx.
As much as I can see /only/ the directory /home/daniel was affected and all the subdirectories and files in it seem to have the same rights as before (actually this is what I hoped :-) ).
When I login as the new user I can see in dolphin that there is a folder daniel in home, but I cannot access it. I can also not access for example /home/daniel/Desktop (which shows in dolphin drwxr-xr-x) nor the file /home/daniel/Desktop/text.txt (-rw-rw-rw-).
So it looks to me, that everything within home/daniel (drwx------) is save, and the umask thing is not necessary.
??? Or am I just not enough a hacker?
You need to understand what you have done. The most important thing you have done is that you have now made it *impossible* to share any files with other users even if you wanted to. Always remember that "for any complex problem, there is always an answer which is simple, obvious, and wrong". Your answer is simple, obvious, and will it come back and bite you in the backside? I don't know. I can remember doing this on a different OS, and it caused us some fun :-) At the end of the day, you need to get a grasp of security and how it works, and then you will know whether your solution is a good one. My personal solution - rather different from yours in that this is a home server, is that everyone belongs to the group "user" (and our passwords are very weak :-) but I use security primarily to protect against accidental damage. I see no reason for privacy as we are a family and trust each other. (A lot of files are owned by root because they are shared but should not be modified.) And actually, I took that line in a company where I set up policy, too. All departments (with two exceptions) could all see each other's areas - but did not have write access to those areas! The exceptions were Finance, and the Directors, both of whom needed protection either for legal or for confidentiality reasons. Cheers, Wol -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/26/2017 05:29 PM, Wols Lists wrote:
You need to understand what you have done. The most important thing you have done is that you have now made it *impossible* to share any files with other users even if you wanted to.
*Y*E*S* Daniel, you need to understand all the basics. There are many ways to 'share'. I can think of a few that work with your 0700 setting. But they are probably to complex for you to understand, given you level of comprehension displayed by your questions. You need to understand, and I mean really understand so you can see the implication, which is what Wols is talking about, of the access control model. Its not about whether you like it or not, its what there is. Once you understand it and its implications you can use it effectively. There are many articles on the 'Net that address this and there have been many good books about UNIX and Linux that describe it. You might start with something like this http://www.ibm.com/developerworks/library/l-lpic1-104-5/ https://www.linux.com/learn/understanding-linux-file-permissions And it's all a lot clearer using the shell that hidden behind a GUI. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Wols Lists composed on 2017-01-26 22:29 (UTC):
Daniel Bauer wrote:
Actually, after googling, i typed the following:
sudo chmod 0700 /home/daniel ... You need to understand what you have done. The most important thing you have done is that you have now made it *impossible* to share any files with other users even if you wanted to.
Not strictly true, but definitely complicated. Some other directory that is readable by both or all users could be employed, by copying or moving file(s) to be shared between the homes and the shared location(s). It might be prudent at this point for Daniel to take time to examine the whole concept of Linux permissions, taking a look e.g. at these: https://en.wikipedia.org/wiki/File_system_permissions https://en.wikipedia.org/wiki/Umask https://en.wikipedia.org/wiki/Chmod Then take a look around his system using a file manager that shows permissions, logged in as root, to gain some working familiarity. I suggest mc using long listing mode to do so whilst logged in on a vtty. Here are some examples of what would be seen doing so in a system having an effect compatible with his original restrictive goal: drwxrwxrwx directory everybody can enter (cd into) everybody can read everybody can write result of umask 0 result of chmod 0777 -rwxrwxrwx file everybody can read everybody can write everybody can execute result of umask 0 result of chmod 777 drwx------ directory only owner can enter (cd into) only owner can read only owner can write result of umask 0077 result of chmod 0700 -rwx------ file only owner can read only owner can write only owner can execute result of umask 077 result of chmod 700 -rwxr----- file owner can read, write, execute group can read group cannot write or execute others can do nothing result of umask 037 result of chmod 740 -rwxr-x--- file owner can read, write, execute group can read and execute group cannot write others can do nothing result of umask 027 result of chmod 750 -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-01-27 04:27, Felix Miata wrote:
Wols Lists composed on 2017-01-26 22:29 (UTC):
Daniel Bauer wrote:
Actually, after googling, i typed the following:
sudo chmod 0700 /home/daniel ... You need to understand what you have done. The most important thing you have done is that you have now made it *impossible* to share any files with other users even if you wanted to.
Not strictly true, but definitely complicated. Some other directory that is readable by both or all users could be employed, by copying or moving file(s) to be shared between the homes and the shared location(s).
It may be easier to use another directory for sharing, outside of home. Consider one wants to share a directory such as: /home/john/shared while not allowing access to: /home/john/ Not that simple, eh? -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 01/27/2017 08:32 AM, Carlos E. R. wrote:
On 2017-01-27 04:27, Felix Miata wrote:
Wols Lists composed on 2017-01-26 22:29 (UTC):
Daniel Bauer wrote:
Actually, after googling, i typed the following: sudo chmod 0700 /home/daniel ... You need to understand what you have done. The most important thing you have done is that you have now made it *impossible* to share any files with other users even if you wanted to. Not strictly true, but definitely complicated. Some other directory that is readable by both or all users could be employed, by copying or moving file(s) to be shared between the homes and the shared location(s). It may be easier to use another directory for sharing, outside of home.
Consider one wants to share a directory such as:
/home/john/shared
Just use /home/shared and require ALL shared data must go there! -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/26/2017 05:29 PM, Wols Lists wrote:
On 26/01/17 22:02, Daniel Bauer wrote:
Am 26.01.2017 um 21:15 schrieb L A Walsh:
Daniel Bauer wrote:
Thanks for the various inputs!
Actually, after googling, i typed the following:
sudo chmod 0700 /home/daniel ... I guess, the problem is solved that way. If not *please* correct me. === It probably is.
In your example above, counting the digits as 0, 1, 2 and 3, The '1' place is your user-id's access, 2=group access and 3=other.
I had suggested using g-rwx,o-rwx, which effectively sets digits 2 and 3 to '0' like you have. The only difference is that setting your own access to '7' might have the accidental effect of making some extra files 'executable' (like making text or other documents executable). In practice, this shouldn't be harmful, so I wouldn't worry about it too much... but for the future, remember the symbolic forms of g-rwx and o-rwx.
As much as I can see /only/ the directory /home/daniel was affected and all the subdirectories and files in it seem to have the same rights as before (actually this is what I hoped :-) ).
When I login as the new user I can see in dolphin that there is a folder daniel in home, but I cannot access it. I can also not access for example /home/daniel/Desktop (which shows in dolphin drwxr-xr-x) nor the file /home/daniel/Desktop/text.txt (-rw-rw-rw-).
So it looks to me, that everything within home/daniel (drwx------) is save, and the umask thing is not necessary.
??? Or am I just not enough a hacker? You need to understand what you have done. The most important thing you have done is that you have now made it *impossible* to share any files with other users even if you wanted to.
Not at all, create a new directory outside of users login dirs and make the group to a name shared by all of the users needing access. -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 27/01/2017 à 15:26, Ken Schneider - openSUSE a écrit :
Not at all, create a new directory outside of users login dirs and make the group to a name shared by all of the users needing access.
if I understand it well: * create as root a directory, for example /home/share * make it in the group "shared" (still as root) * nos add any user you want to share to the group "shared" is this right? thanks jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/27/2017 09:33 AM, jdd wrote:
Le 27/01/2017 à 15:26, Ken Schneider - openSUSE a écrit :
Not at all, create a new directory outside of users login dirs and make the group to a name shared by all of the users needing access.
if I understand it well:
* create as root a directory, for example /home/share * make it in the group "shared" (still as root) * nos add any user you want to share to the group "shared"
is this right?
thanks jdd
Exactly, couldn't be any more simple. -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/26/2017 05:02 PM, Daniel Bauer wrote:
When I login as the new user I can see in dolphin that there is a folder daniel in home, but I cannot access it.
This is easier to explain in CLI that GUI. /home has read permission for 'other' so anyone can read THE DIRECTORY. It also has read permission for group, and by default with openSuse creating a new user puts them in group 'users'. So, who owns /home? What group does it belong to? The command 'ls', which _L_i_S_ts directory entries only needs to read its parameters. Reading the directory /home shows the folder 'daniel'. Now look at the permissions for that folder. You can use ls -l (long form) to do that. See who owns it, what group its in and what the group and other access permissions are. You don't as this new user have access to read that folder. So you can't list its contents. Now as 'daniel', you can see that /home/daniel/Desktop does (or should, if its in the creation skeleton in /etc/skel) have the folder 'Desktop'. While that may be readable, hence listable, by other, you can't get at it as the new user because you can't get past /usr/daniel. Not even if you give the full path. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Anton Aylward wrote: Felix Miata wrote: Wols Lists wrote: ---- Um... you guys ever consider the audience, or how you might be overwhelming someone? um... just asking... ;-) There comes a point when people read their saturation limit, and the less they know, the sooner that comes. So many considerations they aren't even aware of -- and to try to explain how they need to consider all the things they aren't aware of... AGGG.. I think I'd feel more than a bit squished! Helpful, I realize you are being, but from someone who does the same, a lot, just saying... ;-) Anyone see what I mean by I'd hesitate to send a newbie to this list for basic support and why I might suggest win10 (as much as I hate it)?... oi.. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 27/01/2017 à 06:39, L A Walsh a écrit :
Um... you guys ever consider the audience, or how you might be overwhelming someone? um... just asking... ;-)
first thing somebody have to learn when using a mailing list is how easy it is to delete a mail :-)) I most of the time do not even try to read posts that don't fit in my (1080p) screen depending of how much time I have. so I read yours , thanks jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 27/01/17 05:39, L A Walsh wrote:
Anton Aylward wrote: Felix Miata wrote: Wols Lists wrote:
---- Um... you guys ever consider the audience, or how you might be overwhelming someone? um... just asking... ;-)
Good point - BUT
There comes a point when people read their saturation limit, and the less they know, the sooner that comes.
So many considerations they aren't even aware of -- and to try to explain how they need to consider all the things they aren't aware of... AGGG..
But when you see someone using a hammer to drive in a screw ...
I think I'd feel more than a bit squished! Helpful, I realize you are being, but from someone who does the same, a lot, just saying... ;-)
Anyone see what I mean by I'd hesitate to send a newbie to this list for basic support and why I might suggest win10 (as much as I hate it)?... oi..
I can see a load of people have piled in on top of my original comment, but I've seen so many problems caused, and equipment broken, by people who don't understand what they're doing, that you do need to point these things out. Be sensitive to them, ALWAYS remember that one size does NOT fit all, but try and educate them and make sure they are aware of the consequences of their actions. It's like top-posting - some people will not care, others will kill-file you for it. If you don't know that, you could easily lose the attention of the one person who could help you! Cheers, Wol -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/27/17 14:08, Wols Lists wrote:
by people who don't understand what they're doing, that you do need to point these things out.
Be sensitive to them, ALWAYS remember that one size does NOT fit all, but try and educate them and make sure they are aware of the consequences of their actions.
- & , whereas most , on list, with experience , are truly exceptionally helpful , there do exist old-timers with much experience whose main purpose is to use the list as a platform to show how very clever they are , without helping anyone except their own ego. cheers ........ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/27/2017 12:39 AM, L A Walsh wrote:
Um... you guys ever consider the audience, or how you might be overwhelming someone? um... just asking... ;-)
Yes. Good point. There are basically two ways to overwhelm. the point at which it happens depends on the individual and is difficult to judge. The first is the "TL;DR" mode. Sometimes explaining things in a simple manner needs detail and illustrations and example and that stretches out. The other is moving to advanced concepts before the basics have been assimilated. As a list, we are guilt of both. But then, as I say, its often hard to tell how much detail an individual needs or how fast they can assimilate. I'm sure that applies just as much in physical classrooms so as a result teaching methods are there to address the 'average' student. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-01-26 23:02, Daniel Bauer wrote:
So it looks to me, that everything within home/daniel (drwx------) is save, and the umask thing is not necessary.
??? Or am I just not enough a hacker?
See this structure: cer@Telcontar:~/tmp/daniel> tree -p . ├── [drwx------] one │ ├── [drwxr-xr-x] inside │ │ └── [-rw-r--r--] p2 │ └── [-rw-r--r--] p └── [drwxr-xr-x] two ├── [-rw-r--r--] hard-p └── [lrwxrwxrwx] symbolic -> ../one/inside/ 4 directories, 3 files cer@Telcontar:~/tmp/daniel> 'hard-p' is a hard link to 'p2' in the other directory. Now I change to another user. I do not have access to "one": cer@Telcontar:~/tmp/daniel> su cer-g Password: cer-g@Telcontar:/home/cer/tmp/daniel> cd two/ cer-g@Telcontar:/home/cer/tmp/daniel/two> l total 4 drwxr-xr-x 2 cer users 34 Jan 26 23:46 ./ drwxr-xr-x 4 cer users 26 Jan 26 23:43 ../ -rw-r--r-- 2 cer users 7 Jan 26 23:47 hard-p lrwxrwxrwx 1 cer users 14 Jan 26 23:44 symbolic -> ../one/inside/ cer-g@Telcontar:/home/cer/tmp/daniel/two> l symbolic/ ls: cannot access 'symbolic/': Permission denied cer-g@Telcontar:/home/cer/tmp/daniel/two> cat hard-p dentro cer-g@Telcontar:/home/cer/tmp/daniel/two> But I can read the file inside the directory, because I created a hard link to it. But user cer-g can not create that link, anyway. Me, I prefer Wol's solution, it allows sharing if wanted. Other Linux distros do that by default, create a different group for each user. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 01/26/2017 05:55 PM, Carlos E. R. wrote:
But I can read the file inside the directory, because I created a hard link to it.
All that may be fine for us sophisticates on the list but Daniel is beginner. He need to understand the basics of access control. I can't do much better on that then advice Felix gave: <quote> It might be prudent at this point for Daniel to take time to examine the whole concept of Linux permissions, taking a look e.g. at these: https://en.wikipedia.org/wiki/File_system_permissions https://en.wikipedia.org/wiki/Umask https://en.wikipedia.org/wiki/Chmod Then take a look around his system using a file manager that shows permissions, logged in as root, to gain some working familiarity. </quote> well, perhaps I could add some experimentation based n all that. Real 'hands on' experience is the best way to learn, trumps 'book learning'. Practice, reinforcement, time ... after a while it all seems to enter into your DNA. Like Nike says, you "just Do It". -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/26/2017 02:58 PM, Daniel Bauer wrote:
Am 26.01.2017 um 20:15 schrieb Anton Aylward:
On 01/26/2017 01:34 PM, Wols Lists wrote:
On 26/01/17 17:26, Daniel Bauer wrote:
Thanks for the various inputs!
Actually, after googling, i typed the following:
sudo chmod 0700 /home/daniel
with a short test the new user cannot see anything of my home anymore. But of course, I am not sure if this was intelligent, because of the answers here that are much more complex...
It is a laptop and a desktop. On both only one user 1000 daniel existed. On the laptop I made a new one with Yast which is 1001.
I guess, the problem is solved that way. If not *please* correct me.
Thanks
Daniel
That is exactly how I would handle it. For any shared data create a directory somewhere other then a users home and set the permissions to 0770 with the owner as root and the group to a name shared by all users needing access. -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Daniel Bauer wrote:
Hi,
I'll give access to my computers to another person with her own new user.
I see, that this user can see many or most of my files (read only), but I want that she can only see her own files.
How are you seeing this? Did you create the user, login as that user, then see you could still read your files? *Probably*, you are both in the same group (group = users) yes? If you don't want others in the users-group to be able to read your files, you need to turn off the permissions on *your* files that enable them to read them. In your home directory, type "chmod g-rwx,o-rwx -R ." That will remove read, write and execute (for diretories, 'x' = the passthrough privilege) for others in your group as well as everyone else.
How can I achieve that? Do I have to change all the rights of my files? How do I do that safely (without causing problems to programs etc.)?
---- After you execute the 'chmod', any program running as 'you' (with your user id) will still have the same access they had before -- we are only changing the "group" and "other" permissions.
How do I achieve that new files automatically are readable only by me (and root)?
The above should work. If you find any files or directories that are not writable use 'chmod u+w FILE' on the FILE or directory. That should work on any files or directories that are owned by you. I hope this is clear enough (I found some of the other suggestions a bit confusing, wearing my 'newish-user' hat. (I try to keep several 'hats' on hand for when I write to different folks). ;-) Please ask if you have anymore questions... -linda -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (11)
-
Anton Aylward -
Carlos E. R. -
Daniel Bauer -
ellanios82 -
Felix Miata -
jdd -
John Andersen -
Ken Schneider - openSUSE -
L A Walsh -
stakanov -
Wols Lists