UNIX Groups

Hey everyone,

I've just registered with Linode for a month, just to play around and see if I could manage working in the stripped down environment, before moving my site over.

I've got a quick question about Unix groups. Essentially, I want to give some users access to a directory (say for the sake of discussion, /var/www/forum). I don't want these users to have access to ANYTHING else, just that directory.

How would I achieve this? Again, I'm pretty much a novice as a far as it comes to UNIX, so easy steps would be fantastic. I've found nothing on the Internet that explains it in a way that I understand. In addition, I've read about the dangers of FTP, and have seen the recommendations from some users to just use SFTP instead. Would doing this allow the users to issue shell commands that could effect the entire environment, not just that directory?

Thanks in advance :)

5 Replies

For the sake of discussion only for I would never give users access to /www/forum

You would insure that forum is owned by the group in question, just do a ls -la and it will list the groups. Now if you choose to create another group let's say foo you need to insure the users in question also belong to "foo" group. Just hit the man pages, they're also online

http://linux.die.net/man/8/groupadd

http://linux.die.net/man/8/useradd

But the best is just hit them from an ssh session

But in all honest the best route would be to have what ever forum software you're using manage the permissions, for I would not advise giving your users shell access ;)

> Essentially, I want to give some users access to a directory (say for the sake of discussion, /var/www/forum). I don't want these users to have access to ANYTHING else, just that directory.

Do you mean read access or write access?

If you mean write access, the best way to do this would be to (1) create a group, (2) make the directory owned by the group, (3) change the directory's permissions to 775, and (4) add the relevant users to that group. Just as marcus0263 said.

But if you mean read access, the above just won't do. Lots of system files are owned by root but have their permissions set to 644, which means that anyone with an SSH account on your server – or worse, any PHP script without an open_basedir restriction -- can read them whenever they want.

FTP has a very effective protection against this; most modern FTP servers will jail each user to his/her home directory. (That's one way in which the inherent insecurity of FTP gets somewhat mitigated…) But in order to achieve the same effect with SSH/SFTP, you'll have to look into chrooting SSH.

Anyway, I don't know what you're trying to do with this kind of setup, but why can't you just let the forum software manage permissions? UNIX users and groups are a totally different thing from users and groups in your average PHP forum (or whatever else you're using).

@hybinet:

But in order to achieve the same effect with SSH/SFTP, you'll have to look into chrooting SSH.

The latest releases of openssh contain a rudimentary chrooting function that actually works very nicely for simple user jailing without the traditional messy configuration.

http://www.debian-administration.org/articles/590

Or you could try giving them a limited shell, like scponlyor such.

@freedomischaos:

Or you could try giving them a limited shell, like scponlyor such.

I highly recommend scponly as a great way to give users file transfer access. It's a little tricky to get configured, but it's definitely worth it.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct