Restrict user access

 
Thread Tools Search this Thread
Operating Systems Linux Red Hat Restrict user access
# 1  
Old 12-19-2011
Restrict user access

Hi there

I have an application user on my system that wants accesses to these file systems as such:

rwx:

/SAPO
/SAPS12
/R3_888
/R3_888B
/R3_888F
/R3_888R

r:
/usr/sap

these are the existing FS permissionsSmiliewnerships:

Code:
[root@H99A100 ~]# ls -ld /SAPO
drwxrwxr-x 64 ZODCIFUSR ODCgrp 12288 Nov 25 11:02 /SAPO

[root@H99A100 ~]# ls -ld /SAPS12
drwxrwxr-x 5 s12adm ODCgrp 4096 Nov  7 13:49 /SAPS12

[root@H99A100 ~]# ls -ld /R3_888
drwxrwxr-x 129 s12adm ODCgrp 4096 Nov 10 09:56 /R3_888

[root@H99A100 ~]# ls -ld /R3_888B
drwxrwxr-x 31 s12adm ODCgrp 4096 Nov  7 15:03 /R3_888B

[root@H99A100 ~]# ls -ld /R3_888F
drwxrwxr-x 43 s12adm ODCgrp 4096 Nov 21 17:16 /R3_888F

[root@H99A100 ~]# ls -ld /R3_888R
drwxrwxr-x 4 s12adm ODCgrp 4096 Nov  7 15:03 /R3_888R

[root@H99A100 ~]# ls -ld /usr/sap
drwxrwxr-x 5 s12adm sapsys 4096 Oct 25 22:16 /usr/sap

the user:

Code:
[root@H99A100 ~]# id ZODCIFUSR
uid=2020(ZODCIFUSR) gid=200(ODCgrp) groups=200(ODCgrp),0(root) context=root:system_r:unconfined_t:SystemLow-SystemHigh

so how do i go by providing user ZODCIFUSR access to the file systems stated above without setting ACLs on the system? (or is ACLs the only way to do it?)

right now, he's in group 0, so he can pretty much access all the FS but this is just a temp workaround

I was thinking of adding the user to supplementary groups on which the FS are grouped (i.e. sapsys, ODCgrp)

please help, if ACLs is the way to do it, please let me know because i am not very good with the commands

thank you
# 2  
Old 12-19-2011
From the looks of the list, it seems everybody has access (read access at least) to those files, not just "ZODCIFUSR".

Anyway, you can remove that user from GID 0 and it should still work fine since most of the folders also belong to GID 200.

The only "problem" I see is with /usr/sap. Either you take away permissions from the whole group and make ZODCIFUSR a member of secondary group "sapsys", or you use ACLs.
# 3  
Old 12-19-2011
Hi Verde

I thought of the same thing, there's no reason giving fancy restriction to the user unless he's removed from group 0, and ACL does have mysterious ways working with permissions and maskings

If I were to use ACLs, say to allow user ZODCIFUSR to have read only access for directory and files under /usr/sap, how would the command be? Is this correct?

Code:
setfacl -m d u:ZODCIFUSR /usr/sap

Also I did a bit of Googling and it says that the permissions and ownerships are inherited; even after using mv or cp -p command. Is this true?
# 4  
Old 12-20-2011
Before you can assign an ACL, you have to make sure that the filesystem supports them:
Code:
tune2fs -l /dev/sdX/ | grep options

If you run mount you may also get the details. There should be an "acl" option somewhere in the mount options.

If it does not support ACLs, you can always remount the filesystem:

Code:
mount -o remount,acl /usr/sap

Having said so, your ACL command is almost correct:
Code:
setfacl -m d:u:ZODCIFUSR:r /usr/sap

When an ACLs (POSIX ACL) is set on a directory, all new files created inside inherit the default ACL. If for some reason you want to copy a file that has an ACL to a directory that does not use ACLs, both cp -p and mv will preserve the original ACL.

Last edited by verdepollo; 12-20-2011 at 04:59 PM..
This User Gave Thanks to verdepollo For This Post:
# 5  
Old 12-20-2011
Solved

Thank you verdepollo, I checked my disks and the partition, none of them even show any output when i run the tune2fs -l command (output shows the result for one of the disk)

Code:
[root@H99A100 dev]# ls -lrt sd*
brw-r----- 1 root disk 8,  2 Nov 22 22:30 sda2
brw-r----- 1 root disk 8,  0 Nov 22 22:30 sda
brw-r----- 1 root disk 8,  1 Nov 22 22:31 sda1
brw-r----- 1 root disk 8,  3 Nov 25 15:14 sda3
brw-r----- 1 root disk 8, 16 Nov 28 13:46 sdb
brw-r----- 1 root disk 8, 32 Nov 28 13:46 sdc
[root@H99A100 dev]#

[root@H99A100 dev]# tune2fs -l /dev/sdb
tune2fs 1.39 (29-May-2006)
tune2fs: Bad magic number in super-block while trying to open /dev/sdb
Couldn't find valid filesystem superblock.

none of the existing FS on the system is ACL supported, as per mount command

Code:
/dev/mapper/vgSAP-lv_s12_03 on /usr/sap/trans type ext3 (rw)

I doubt the client will agree with remounting the FS with acl mount option, but would it possible to create ACL anyways, without the FS mount options being ADL enabled? What would be the consequences to this?

Thanks again for the full command, I've always been wary of ACLs Smilie

---------- Post updated at 06:45 PM ---------- Previous update was at 06:27 PM ----------

So I tested this on my test server, but the weird thing is when I did mount, all the other FS but /tmp is acl enabled, even after manually enabling acl for /tmp

Code:
my-xftp0:~ # tune2fs -l /dev/sda8
tune2fs 1.41.9 (22-Aug-2009)
Filesystem volume name:   <none>
Last mounted on:          <not available>
Filesystem UUID:          1d4351d3-dbf5-42b8-9b78-a29b7dcf5e9c
Filesystem magic number:  0xEF53
Filesystem revision #:    1 (dynamic)
Filesystem features:      has_journal ext_attr resize_inode dir_index filetype needs_recovery sparse_super large_file
Filesystem flags:         signed_directory_hash 
Default mount options:    (none)
Filesystem state:         clean
Errors behavior:          Continue
Filesystem OS type:       Linux
Inode count:              655360
Block count:              2620603
Reserved block count:     131030
Free blocks:              2537308
Free inodes:              655216
First block:              0
Block size:               4096
Fragment size:            4096
Reserved GDT blocks:      639
Blocks per group:         32768
Fragments per group:      32768
Inodes per group:         8192
Inode blocks per group:   512
Filesystem created:       Thu Nov 17 11:44:04 2011
Last mount time:          Wed Dec  7 15:30:06 2011
Last write time:          Wed Dec  7 15:30:06 2011
Mount count:              8
Maximum mount count:      -1
Last checked:             Thu Nov 17 11:44:04 2011
Check interval:           0 (<none>)
Reserved blocks uid:      0 (user root)
Reserved blocks gid:      0 (group root)
First inode:              11
Inode size:               256
Required extra isize:     28
Desired extra isize:      28
Journal inode:            8
Default directory hash:   half_md4
Directory Hash Seed:      b38a25f8-9d33-45c8-81ef-b51c55d4fba2
Journal backup:           inode blocks

check out the FS in blue, they were acl enabled all along

Code:
my-xftp0:~ # mount
/dev/sda1 on / type ext3 (rw,acl,user_xattr)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
debugfs on /sys/kernel/debug type debugfs (rw)
devtmpfs on /dev type devtmpfs (rw,mode=0755)
tmpfs on /dev/shm type tmpfs (rw,mode=1777)
devpts on /dev/pts type devpts (rw,mode=0620,gid=5)
/dev/sda2 on /boot/efi type vfat (rw,noexec,nosuid,nodev,gid=100,umask=0002,utf8=true)
/dev/sda4 on /home type ext3 (rw,acl,user_xattr)
/dev/sda7 on /opt type ext3 (rw,acl,user_xattr)
/dev/sda8 on /tmp type ext3 (rw)
/dev/sda5 on /usr type ext3 (rw,acl,user_xattr)
/dev/sda6 on /var type ext3 (rw,acl,user_xattr)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
securityfs on /sys/kernel/security type securityfs (rw)

attempting to set /tmp acl enabled failed:

Code:
my-xftp0:~ # mount -o remount, acl /tmp
my-xftp0:~ # tune2fs -l /dev/sda8 | grep -i acl
my-xftp0:~ #

nonetheless, attempting to set user test with read permissions for /tmp worked

Code:
my-xftp0:~ # setfacl -m d:u:test:r /tmp
my-xftp0:~ # 
my-xftp0:~ # getfacl /tmp
getfacl: Removing leading '/' from absolute path names
# file: tmp
# owner: root
# group: root
# flags: --t
user::rwx
group::rwx
other::rwx
default:user::rwx
default:user:test:r--
default:group::rwx
default:mask::rwx
default:other::rwx

oh by the way, the test machine I play around is a suse linux machine

Code:
my-xftp0:~ # cat /proc/*version
Linux version 2.6.32.12-0.7-default (geeko@buildhost) (gcc version 4.3.4 [gcc-4_3-branch revision 152973] (SUSE Linux) ) #1 SMP 2010-05-20 11:14:20 +0200

...weird no?
# 6  
Old 12-21-2011
Sometimes ACL support is defined on the superblock, even if /proc/partitions, /etc/mtab, /etc/fstab, tune2fs, etc do not explicitly report ACL support.

What's the output of:
Code:
dumpe2fs /dev/sda8 | grep -i 'mount options'

# 7  
Old 12-21-2011
Here's the output from my test machine

Code:
my-xftp0:~ # dumpe2fs /dev/sda8 | grep -i 'mount options'
dumpe2fs 1.41.9 (22-Aug-2009)
Default mount options:    (none)
my-xftp0:~ # date
Thu Dec 22 10:46:26 MYT 2011
my-xftp0:~ #

and the output from prod machine

Code:
[root@H99A100 dev]# dumpe2fs /dev/sda1 | grep -i 'mount options'
dumpe2fs 1.39 (29-May-2006)
Default mount options:    user_xattr acl

Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Restrict access

I'm trying to use squid to restrict elinks' access to certain websites(only http traffic). I have tried some configs in squid.conf but no luck. Hope someone has a bit of time to explain me how can you make these config's :) ---------- Post updated at 05:40 PM ---------- Previous update was at... (1 Reply)
Discussion started by: Birnbacher
1 Replies

2. Ubuntu

Restrict SUDO Access

Linux ubuntu 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:56:25 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux Hi Folks, Please help me. I am bit struck here. Here is the OS info. Linux ubuntu 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:56:25 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux I have a... (17 Replies)
Discussion started by: explorer007
17 Replies

3. UNIX for Dummies Questions & Answers

Restrict user access.

Hi All, How can we restrict a particular user access to a particular shell in solaris 10. Thanks in Advance. (5 Replies)
Discussion started by: rama krishna
5 Replies

4. UNIX for Advanced & Expert Users

Restrict Access to the folder

Hi I have requirement to create 3 new users on my server but to restrict their access to a set of particular folders. /export/home/kapil/shared, /export/home/kapil/shared/Folder1 /export/home/kapil/shared/Folder2 These folders should be accessible to all the 3 users and to me too.... (1 Reply)
Discussion started by: kapilk
1 Replies

5. UNIX for Advanced & Expert Users

Restrict access to specific users.

Hi All! I would like to know if there is any specific way by which I can restrict access to apecific users (ip addresses). OS : Red hat linux Thanks! nua7 (6 Replies)
Discussion started by: nua7
6 Replies

6. UNIX for Dummies Questions & Answers

Restrict user access to their home dir

Hi! i'm using FreeBSD 6.2 and hosting my pc to frens in particular of sensitive information being saved to the PC, i would like to know is it possible for me to restrict user access to their /home dir. only? and also, i wanted to restrict them listing files under /etc thanks all! (10 Replies)
Discussion started by: rdns
10 Replies

7. UNIX for Advanced & Expert Users

Restrict FTP access to a single directory for only one user.

Hi All, It will be very great if you can help me in this issue. Thanks in advance. I need to enable FTP on a solaris9 server. I need to create a new user some "xxxxxx" and he can only FTP the files to and from between /tftpboot directory and network devices. Other users should not... (8 Replies)
Discussion started by: santhoshkumar_d
8 Replies

8. Red Hat

restrict access of a user to two directories only

Hi all, I am using RHEL 5.0 I need a user say test to have full access to two directories, say /tmp1 & /tmp2 only other than his home directory. I do not want to change his login shell which is ksh or bash by default. Moreover, he should not even have read access of other directories. ... (10 Replies)
Discussion started by: vikas027
10 Replies

9. HP-UX

How to restrict a user group to access the kernel

Hi, Please any one can help me to know that how we can restrict a user group to access the kernel at all. (0 Replies)
Discussion started by: harishankar
0 Replies

10. UNIX for Dummies Questions & Answers

restrict tcp-port access

Hi Is there any way to restrict the TCP-IP port usage. I want to restrict TCP-IP port 1500/1550 to the oracle osuser. Tanks in advance. Remi (2 Replies)
Discussion started by: remivisser
2 Replies
Login or Register to Ask a Question