I would like to give read-only access to a user but I want him/her to see only the exact folders I give access. for example he/she shouldn't travel around all the server and browse to all users folders etc. even if he/she only goes up, up, up I want him/her to go to only these specific folders I allow. So firstly how can I let a specific user have access to a specific folder and then would putting symbolic links to his/her home folder would help? So they can go directly to necessary folders but not up or down?
Give read-only access to specific folders
filesystemspermissionsreadonly
Related Solutions
Just adding the user backups to the user group sudo does not automatically give the account access to all files on the system. It gives the user the permission to run the sudo command.
Since you are using public key authentication (presumably without a passphrase), I would approach this with security and ease of implementation in mind. Using ssh allows you to restrict the user to execute only very specific commands. In this case, you can allow the user backups to execute rsync with superuser permissions.
You have already performed the key exchange and verified authentication is successful. In the authorized_keys file on the remote host that you are backing the /home directory from, you can add a command= directive to the key that is used by the user backups. This directive will only allow that command to be run when that key is used for authentication. So the first field of the key would look similar to this:
command="/path/to/sudo /path/to/rsync -az /home /local/folder" ssh-rsa AAAAB3NzaC1yblahblahblah
You can go even further and add more options to the key, such as from=myhost,no-pty,no-X11-forwarding.
This should give you decent security and not require you to modify the underlying file system permissions. You will probably need to play with the command that you place in the authorized_keys file until it works like you expect; it may take a bit to wrap your brain around it. The command specified in the authorized_keys will basically override the rsync options you will pass from the connecting host.
Lots of good information in man sshd. You want to specifically read the AUTHORIZED_KEYS FORMAT section.
Create a read-only view of that directory in a different location. You can do that with bindfs.
Let's say that the directory in question is /home/confidential/reboot and that you want to give read-only access to the users in the group mygroup. Create a directory /views/mygroup/reboot which is accessible to that group.
mkdir -p /views/mygroup/reboot
chown root:mygroup /views/mygroup
chmod 750 /views/mygroup
Create the read-only view with bindfs. The bindfs process must have the permission to read the files and to access the mount point; here you would presumably run it as root.
bindfs -p a-w /home/confidential/reboot /views/mygroup/reboot
If the files under /home/confidential/reboot are not readable by the users in mygroup and you want to make them so, change the permissions specification to -p a=rX.
To create the read-only view at boot time, add it to /etc/fstab:
bindfs#/home/confidential/reboot /views/mygroup/reboot fuse perms=a=rX
Best Answer
You should set necessary directory permissions. For directories they are:
For files the situation is similar, it's quite obvious, so you can handle it on your own.
Numeric these permissions:
To edit permissions use
chmod. Usage:chmod xyz <file or directory>Example:
jack and jack's group will have read+write access to /home/jack and all it's sub-directories. The rest will have only read access.
-Roption here used to recursively set permissions.Other example:
will give jack full access to
/home/jack/videodirectory. See also:chown,chgrpfor changing owner and owning group.