new user acl questions

Support for security such as Firewalls and securing linux
Post Reply
vinmansbrew
Posts: 24
Joined: 2016/10/06 20:12:33

new user acl questions

Post by vinmansbrew » 2018/04/09 18:36:23

I am trying to add acl for a new user, to a certain directory, without giving them access to prior directories. Now, I've done this before, and it seemed to work fine.
I have added the person to the required etc/group, then I have gone to the parent directory, that contains the directory they need access to, and I have tried adding r/w access to that folder. When they winscp to the dir, "server returned empty listing for directory".

I must be missing something that I have forgotten about.

MartinR
Posts: 346
Joined: 2015/05/11 07:53:27
Location: UK

Re: new user acl questions

Post by MartinR » 2018/04/10 09:43:05

Do they have read access to outer directories? See chmod(1). For example, to access /home/someone/test/ they need r-- --x access to /home/ and /home/someone/. They can then find /home/someone/test/ which can have r-x or rwx as appropriate. Remember that to search a directory (eg use ls) you need execute read permission, so just supplying read execute will only allow the user to go to a subdirectory they already know about.
Last edited by MartinR on 2018/04/12 09:14:38, edited 1 time in total.

Whoever
Posts: 1033
Joined: 2013/09/06 03:12:10

Re: new user acl questions

Post by Whoever » 2018/04/12 03:19:57

MartinR wrote:Remember that to search a directory (eg use ls) you need execute permission, so just supplying read will only allow the user to go to a subdirectory they already know about.
I believe that you have that reversed. To cd to a directory, only "x" is needed, while "r" is needed to list the contents.

MartinR
Posts: 346
Joined: 2015/05/11 07:53:27
Location: UK

Re: new user acl questions

Post by MartinR » 2018/04/12 09:09:05

Good catch, mea culpa. :oops: In my (shaky) defence I wrote it, then checked the man page, and changed it without engaging my brain first. What it says: "execute (or search for directories) (x)", what I saw: "search in directories".

The basic issue remains though, check that there is execute access to the parent directories.

vinmansbrew
Posts: 24
Joined: 2016/10/06 20:12:33

Re: new user acl questions

Post by vinmansbrew » 2018/04/17 17:06:10

I'll take a look. The issue seems to have cleared up, so it may have been something with the program they are partly accessing.

vinmansbrew
Posts: 24
Joined: 2016/10/06 20:12:33

Re: new user acl questions

Post by vinmansbrew » 2018/04/24 21:58:40

Ok, well not cleared up. Affected user thought it may have been. So, there is still an issue.
I'll describe it a bit more.
They connect with winscp. They can read the file. They can apparently execute it with whatever program. But to do so, it sounds like the file has to be pulled off its location, modified, then put back. It is the put back part, or writing the file to the directory, that is the issue.

There is another user that does the same thing with the same file, works fine. Both are in the same groups. However, the user in question, shows a gid=206, but there is no group with that id. Could that cause this issue?

And to try and answer Martin's question, the permissions change when going further into the directory tree. The acl do not appear to be set by person, but possibly by group. I didn't set this up, myself, and came into it with no notation on the set up. However, the user that does work and the new user, are part of the same 2 groups. So their IDs look like:

current user 201 620 622
new user 206 620 622
Technically, the 201/206 group does exist in /etc/group.

I will list the perms, starting with the 1st directory.

/1:
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

/1/apps:
# owner: 602
# group: 601
user::rwx
group::r-x
other::r-x

/1/apps/primary:
# owner: 503
# group: 503
user::rwx
user:oracle:rwx
group::rwx
group:program:rwx
mask::rwx
other::r-x

/1/apps/primary/load:
# owner: 503
# group: 503
user::rwx
user:602:rwx
user:605:rwx
user:ff_user:rwx
group::rwx
group:banner:rwx
group:program:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:602:rwx
default:user:605:rwx
default:group::rwx
default:group:503:rwx
default:group:program:rwx
default:mask::rwx
default:other::rwx

/1/apps/primary/load/data:
# owner: 503
# group: 503
user::rwx
user:602:rwx
user:605:rwx
user:ff_user:rwx
group::rwx
group:banner:rwx
group:program:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:602:rwx
default:user:605:rwx
default:group::rwx
default:group:503:rwx
default:group:program:rwx
default:mask::rwx
default:other::rwx

The last directory is where the files are that the current user can do whatever with, while the new user and read and execute, but not write.

So, things seem to look ok, to me, but I must be missing something, somewhere.

vinmansbrew
Posts: 24
Joined: 2016/10/06 20:12:33

Re: new user acl questions

Post by vinmansbrew » 2018/05/18 20:26:56

Ok, thought I should come back to this. Found out it was entirely NOT my issue. Turns out it was some setting in winscp that was changed.

Post Reply