restrictions on a directory on shared server
I have 1 directory on a Unix server which is accessible to all currently as users logged in user name is common but they logged in to that user via sudo su -iu.
I want only 10 users to have access on that directory and rest all shall not be able to access that directory.
ssh aaa@abc.com
sudo -su server1
/home/server1/
cd dir1 (the owner of this directory is user server1 and group is grp1 and whenever person1 and person2 logs in via sudo to this server, both of them will have same user and group ids for this user server1 on this server.
how we can restrict all the user accessing this directory except 8-10 folks?
security account-restrictions
add a comment |
I have 1 directory on a Unix server which is accessible to all currently as users logged in user name is common but they logged in to that user via sudo su -iu.
I want only 10 users to have access on that directory and rest all shall not be able to access that directory.
ssh aaa@abc.com
sudo -su server1
/home/server1/
cd dir1 (the owner of this directory is user server1 and group is grp1 and whenever person1 and person2 logs in via sudo to this server, both of them will have same user and group ids for this user server1 on this server.
how we can restrict all the user accessing this directory except 8-10 folks?
security account-restrictions
1
Create a group, add those 10 users to that group, set the group as owner of the directory in question and set the right permissions.
– Panki
Feb 28 at 8:20
1
They are logging into that server and the becomingroot
. In that case, there isn't anything that you can do to keep them out of that or any other directory. Even if you put that directory on an NFS export and enabled root squash, they could stillsu -
to a user with access and get into it.
– Nasir Riley
Feb 28 at 8:46
See also this, to make files created in the shared folders by each of the users also writable by the other users: superuser.com/q/277775/879179
– filbranden
Feb 28 at 10:34
Thanks @NasirRiley but in my case user1 is logging in to via sudo on server1 user, not root sudo -iu server1 ( executed by user1 to logged in as server1 user)
– anurag
Feb 28 at 17:52
@anurag If they cansudo su user
then they can justsudo su
and become root unless thesudoers
file has been modified to only allow that one command.
– Nasir Riley
Feb 28 at 17:56
add a comment |
I have 1 directory on a Unix server which is accessible to all currently as users logged in user name is common but they logged in to that user via sudo su -iu.
I want only 10 users to have access on that directory and rest all shall not be able to access that directory.
ssh aaa@abc.com
sudo -su server1
/home/server1/
cd dir1 (the owner of this directory is user server1 and group is grp1 and whenever person1 and person2 logs in via sudo to this server, both of them will have same user and group ids for this user server1 on this server.
how we can restrict all the user accessing this directory except 8-10 folks?
security account-restrictions
I have 1 directory on a Unix server which is accessible to all currently as users logged in user name is common but they logged in to that user via sudo su -iu.
I want only 10 users to have access on that directory and rest all shall not be able to access that directory.
ssh aaa@abc.com
sudo -su server1
/home/server1/
cd dir1 (the owner of this directory is user server1 and group is grp1 and whenever person1 and person2 logs in via sudo to this server, both of them will have same user and group ids for this user server1 on this server.
how we can restrict all the user accessing this directory except 8-10 folks?
security account-restrictions
security account-restrictions
edited Feb 28 at 8:36
Rui F Ribeiro
41.6k1483141
41.6k1483141
asked Feb 28 at 8:13
anuraganurag
161214
161214
1
Create a group, add those 10 users to that group, set the group as owner of the directory in question and set the right permissions.
– Panki
Feb 28 at 8:20
1
They are logging into that server and the becomingroot
. In that case, there isn't anything that you can do to keep them out of that or any other directory. Even if you put that directory on an NFS export and enabled root squash, they could stillsu -
to a user with access and get into it.
– Nasir Riley
Feb 28 at 8:46
See also this, to make files created in the shared folders by each of the users also writable by the other users: superuser.com/q/277775/879179
– filbranden
Feb 28 at 10:34
Thanks @NasirRiley but in my case user1 is logging in to via sudo on server1 user, not root sudo -iu server1 ( executed by user1 to logged in as server1 user)
– anurag
Feb 28 at 17:52
@anurag If they cansudo su user
then they can justsudo su
and become root unless thesudoers
file has been modified to only allow that one command.
– Nasir Riley
Feb 28 at 17:56
add a comment |
1
Create a group, add those 10 users to that group, set the group as owner of the directory in question and set the right permissions.
– Panki
Feb 28 at 8:20
1
They are logging into that server and the becomingroot
. In that case, there isn't anything that you can do to keep them out of that or any other directory. Even if you put that directory on an NFS export and enabled root squash, they could stillsu -
to a user with access and get into it.
– Nasir Riley
Feb 28 at 8:46
See also this, to make files created in the shared folders by each of the users also writable by the other users: superuser.com/q/277775/879179
– filbranden
Feb 28 at 10:34
Thanks @NasirRiley but in my case user1 is logging in to via sudo on server1 user, not root sudo -iu server1 ( executed by user1 to logged in as server1 user)
– anurag
Feb 28 at 17:52
@anurag If they cansudo su user
then they can justsudo su
and become root unless thesudoers
file has been modified to only allow that one command.
– Nasir Riley
Feb 28 at 17:56
1
1
Create a group, add those 10 users to that group, set the group as owner of the directory in question and set the right permissions.
– Panki
Feb 28 at 8:20
Create a group, add those 10 users to that group, set the group as owner of the directory in question and set the right permissions.
– Panki
Feb 28 at 8:20
1
1
They are logging into that server and the becoming
root
. In that case, there isn't anything that you can do to keep them out of that or any other directory. Even if you put that directory on an NFS export and enabled root squash, they could still su -
to a user with access and get into it.– Nasir Riley
Feb 28 at 8:46
They are logging into that server and the becoming
root
. In that case, there isn't anything that you can do to keep them out of that or any other directory. Even if you put that directory on an NFS export and enabled root squash, they could still su -
to a user with access and get into it.– Nasir Riley
Feb 28 at 8:46
See also this, to make files created in the shared folders by each of the users also writable by the other users: superuser.com/q/277775/879179
– filbranden
Feb 28 at 10:34
See also this, to make files created in the shared folders by each of the users also writable by the other users: superuser.com/q/277775/879179
– filbranden
Feb 28 at 10:34
Thanks @NasirRiley but in my case user1 is logging in to via sudo on server1 user, not root sudo -iu server1 ( executed by user1 to logged in as server1 user)
– anurag
Feb 28 at 17:52
Thanks @NasirRiley but in my case user1 is logging in to via sudo on server1 user, not root sudo -iu server1 ( executed by user1 to logged in as server1 user)
– anurag
Feb 28 at 17:52
@anurag If they can
sudo su user
then they can just sudo su
and become root unless the sudoers
file has been modified to only allow that one command.– Nasir Riley
Feb 28 at 17:56
@anurag If they can
sudo su user
then they can just sudo su
and become root unless the sudoers
file has been modified to only allow that one command.– Nasir Riley
Feb 28 at 17:56
add a comment |
1 Answer
1
active
oldest
votes
In your solution, all users with sudo - rights will be able to Access the Directory, as they will get the same effective user id with "sudo".
To enable permissions to a certain Group of users, you Need to add them to a supplementary Group, and allow this Group to Access the Directory. The users then use their original Login to Access the Directory.
Do the following steps:
# add a Group for accessing the Directory
groupadd s1_group
# Add the Group to all users with Access to the Directory
usermod -a -G s1_group <user>
# Change the Directory permissions (Group writeable) and ownership (g: Group s1_group)
chown .s1_group /home/server1
chmod 770 /home/server1
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503503%2frestrictions-on-a-directory-on-shared-server%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
In your solution, all users with sudo - rights will be able to Access the Directory, as they will get the same effective user id with "sudo".
To enable permissions to a certain Group of users, you Need to add them to a supplementary Group, and allow this Group to Access the Directory. The users then use their original Login to Access the Directory.
Do the following steps:
# add a Group for accessing the Directory
groupadd s1_group
# Add the Group to all users with Access to the Directory
usermod -a -G s1_group <user>
# Change the Directory permissions (Group writeable) and ownership (g: Group s1_group)
chown .s1_group /home/server1
chmod 770 /home/server1
add a comment |
In your solution, all users with sudo - rights will be able to Access the Directory, as they will get the same effective user id with "sudo".
To enable permissions to a certain Group of users, you Need to add them to a supplementary Group, and allow this Group to Access the Directory. The users then use their original Login to Access the Directory.
Do the following steps:
# add a Group for accessing the Directory
groupadd s1_group
# Add the Group to all users with Access to the Directory
usermod -a -G s1_group <user>
# Change the Directory permissions (Group writeable) and ownership (g: Group s1_group)
chown .s1_group /home/server1
chmod 770 /home/server1
add a comment |
In your solution, all users with sudo - rights will be able to Access the Directory, as they will get the same effective user id with "sudo".
To enable permissions to a certain Group of users, you Need to add them to a supplementary Group, and allow this Group to Access the Directory. The users then use their original Login to Access the Directory.
Do the following steps:
# add a Group for accessing the Directory
groupadd s1_group
# Add the Group to all users with Access to the Directory
usermod -a -G s1_group <user>
# Change the Directory permissions (Group writeable) and ownership (g: Group s1_group)
chown .s1_group /home/server1
chmod 770 /home/server1
In your solution, all users with sudo - rights will be able to Access the Directory, as they will get the same effective user id with "sudo".
To enable permissions to a certain Group of users, you Need to add them to a supplementary Group, and allow this Group to Access the Directory. The users then use their original Login to Access the Directory.
Do the following steps:
# add a Group for accessing the Directory
groupadd s1_group
# Add the Group to all users with Access to the Directory
usermod -a -G s1_group <user>
# Change the Directory permissions (Group writeable) and ownership (g: Group s1_group)
chown .s1_group /home/server1
chmod 770 /home/server1
answered Feb 28 at 8:47
gerhard d.gerhard d.
1,271412
1,271412
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503503%2frestrictions-on-a-directory-on-shared-server%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Create a group, add those 10 users to that group, set the group as owner of the directory in question and set the right permissions.
– Panki
Feb 28 at 8:20
1
They are logging into that server and the becoming
root
. In that case, there isn't anything that you can do to keep them out of that or any other directory. Even if you put that directory on an NFS export and enabled root squash, they could stillsu -
to a user with access and get into it.– Nasir Riley
Feb 28 at 8:46
See also this, to make files created in the shared folders by each of the users also writable by the other users: superuser.com/q/277775/879179
– filbranden
Feb 28 at 10:34
Thanks @NasirRiley but in my case user1 is logging in to via sudo on server1 user, not root sudo -iu server1 ( executed by user1 to logged in as server1 user)
– anurag
Feb 28 at 17:52
@anurag If they can
sudo su user
then they can justsudo su
and become root unless thesudoers
file has been modified to only allow that one command.– Nasir Riley
Feb 28 at 17:56