new user acl questions

Support for security such as Firewalls and securing linux
vinmansbrew
Posts: 22
Joined: 2016/10/06 20:12:33

new user acl questions

Postby vinmansbrew » 2018/04/09 18:36:23

I am trying to add acl for a new user, to a certain directory, without giving them access to prior directories. Now, I've done this before, and it seemed to work fine.
I have added the person to the required etc/group, then I have gone to the parent directory, that contains the directory they need access to, and I have tried adding r/w access to that folder. When they winscp to the dir, "server returned empty listing for directory".

I must be missing something that I have forgotten about.

MartinR
Posts: 312
Joined: 2015/05/11 07:53:27
Location: UK

Re: new user acl questions

Postby MartinR » 2018/04/10 09:43:05

Do they have read access to outer directories? See chmod(1). For example, to access /home/someone/test/ they need r-- --x access to /home/ and /home/someone/. They can then find /home/someone/test/ which can have r-x or rwx as appropriate. Remember that to search a directory (eg use ls) you need execute read permission, so just supplying read execute will only allow the user to go to a subdirectory they already know about.
Last edited by MartinR on 2018/04/12 09:14:38, edited 1 time in total.

Whoever
Posts: 1002
Joined: 2013/09/06 03:12:10

Re: new user acl questions

Postby Whoever » 2018/04/12 03:19:57

MartinR wrote:Remember that to search a directory (eg use ls) you need execute permission, so just supplying read will only allow the user to go to a subdirectory they already know about.


I believe that you have that reversed. To cd to a directory, only "x" is needed, while "r" is needed to list the contents.

MartinR
Posts: 312
Joined: 2015/05/11 07:53:27
Location: UK

Re: new user acl questions

Postby MartinR » 2018/04/12 09:09:05

Good catch, mea culpa. :oops: In my (shaky) defence I wrote it, then checked the man page, and changed it without engaging my brain first. What it says: "execute (or search for directories) (x)", what I saw: "search in directories".

The basic issue remains though, check that there is execute access to the parent directories.

vinmansbrew
Posts: 22
Joined: 2016/10/06 20:12:33

Re: new user acl questions

Postby vinmansbrew » 2018/04/17 17:06:10

I'll take a look. The issue seems to have cleared up, so it may have been something with the program they are partly accessing.

vinmansbrew
Posts: 22
Joined: 2016/10/06 20:12:33

Re: new user acl questions

Postby vinmansbrew » 2018/04/24 21:58:40

Ok, well not cleared up. Affected user thought it may have been. So, there is still an issue.
I'll describe it a bit more.
They connect with winscp. They can read the file. They can apparently execute it with whatever program. But to do so, it sounds like the file has to be pulled off its location, modified, then put back. It is the put back part, or writing the file to the directory, that is the issue.

There is another user that does the same thing with the same file, works fine. Both are in the same groups. However, the user in question, shows a gid=206, but there is no group with that id. Could that cause this issue?