Ubuntu – How to yield all users the read/write permission for files in a the common directory

16.04mountpartitioningpermissions

I have installed Ubuntu system at an SS disk and I wish users to access partitions of the second (mechanical) disk as common depositories with full read/write/delete permissions for each file. And I wish that each user see such a partition (say /dev/sdb7) as a directory with a fixed name (say /home/the_user/F). I was advised (Is it possible to mount a partition as a common depository for users with the same relative path?) to mount the partition during boot and to symlink that mountpoint to somewhere in the user's home. However, in the manual for

link

I see an option

‘-d’
‘-F’
‘--directory’
     Allow users with appropriate privileges to attempt to make hard
     links to directories.  However, note that this will probably fail
     due to system restrictions, even for the super-user.

I am afraid of it. Please advise me an example of a proper link; and the corresponding group or bindfs commands to be used at user login or once forever by the root. Thanks!

Best Answer

You don't need to use hard links, actually we can not create a hard link to a directory because it makes loop in file system hierarchy.

You have to use -s option to create a symlink (symbolic link):

Let's say I have mounted /dev/sda7 on /media/some/mount/point. To create a link to this path I have to run:

ln -s [target] [symlink]

Like:

ln -s /media/some/mount/point  /home/username/F

The permission of link would be 777 but however a symlink is a different file from you actual directory, it only grant access to symlink itself and the user must have correct permissions to be able to work with the files in /media/some/mount/point.

Related Solutions

Ubuntu – How to get permissions for all users for new drive added to the system – 12.10

One option would be to create a group with read/write permissions on that folder and then add each one of the users to that group.

First, you need to create a new group:

groupadd my_media_group

Then change the permissions of your files. Supposing /dev/sdd1 is mounted in /media/nick/Media Store

sudo chgrp /media/nick/Media\ Store my_media_group
sudo chmod -R 2770 /media/nick/Media Store

The first command will change the group of that folder. The second will set rwx permissions to owner and group (770) and make new created files have the group of the parent folder (2). If you already have files in that folder, it may be needed to change their group also (it can be made with chgrp -R)

Lastly, for each one of the users in the system add it to that group:

sudo usermod -a -G my_media_group <username>

I haven't tried this, and it may not be the best way to do it, but if it doesn't work you should be able to go back using chgrp and chmod.

Hope this helps.

Ubuntu – How to prevent users accessing anything but their own home directory

Reassess your requirement first. What is the problem you are trying to solve? Why do you want to prevent users from leaving their home directory? Isn't it rather that you don't want them to rummage through specific other directories -- such as the home directories of other users?

It is very difficult to prevent users from leaving their home directory. It is actually a bit silly, too (explanation follows). It is much simpler to prevent users from entering directories you don't want them to enter.

First off, yes you can give users a so-called restricted shell, see man rbash. This will prevent them from cd-ing elsewhere, but only inside that shell. If the user starts vi or nano (or any other program capable of opening a file) they can again open files anywhere on the system. As a matter of fact, a restricted shell does not prevent e.g. cat /etc/passwd.

The next step up is a root jail. More info on the community wiki and in this question. Though a root jail will lock users inside a walled garden, within which they have access to nothing but the files and commands that you intentionally put there, root jails really are intended for isolating untrusted software rather than users. In particular, they are for software that needs to run with elevated privileges -- hence a root jail.

Users, on the other hand, are trusted: they have had to authenticate and run without elevated privileges. Therefore file permissions suffice to keep them from changing files they do not own, and from seeing things they must not see. To prevent users from reading the content of a file, remove its world-readability with chmod o-r FILE . To keep users out of a directory, make it world-inaccessible with chmod o-rwx DIR.

World-readability is the default though, for good reason: users actually need most of the stuff that's on the file system. Don't lock users in their homes just because there exist secrets outside.

Why locking users in their home directory is a bit silly

To do anything useful, users need access to commands and applications. These are in directories like /bin and /usr/bin, so unless you copy all commands they need from there to their home directories, users will need access to /bin and /usr/bin. But that's only the start. Applications need libraries from /usr/lib and /lib, which in turn need access to system resources, which are in /dev, and to configuration files in /etc and /usr/share.

This was just the read-only part. Applications will also want /tmp and often /var to write into. So, if you want to constrain a user within his home directory, you are going to have to copy a lot into it. In fact, pretty much an entire base file system -- which you already have, located at /.

Best Answer

Related Solutions

Ubuntu – How to get permissions for all users for new drive added to the system – 12.10

Ubuntu – How to prevent users accessing anything but their own home directory

Related Question