I would like to give read-only access to a user but I want him/her to see only the exact folders I give access. for example he/she shouldn't travel around all the server and browse to all users folders etc. even if he/she only goes up, up, up I want him/her to go to only these specific folders I allow. So firstly how can I let a specific user have access to a specific folder and then would putting symbolic links to his/her home folder would help? So they can go directly to necessary folders but not up or down?
Give read-only access to specific folders
filesystemspermissionsreadonly
Related Solutions
Just adding the user backups
to the user group sudo
does not automatically give the account access to all files on the system. It gives the user the permission to run the sudo
command.
Since you are using public key authentication (presumably without a passphrase), I would approach this with security and ease of implementation in mind. Using ssh
allows you to restrict the user to execute only very specific commands. In this case, you can allow the user backups
to execute rsync
with superuser permissions.
You have already performed the key exchange and verified authentication is successful. In the authorized_keys
file on the remote host that you are backing the /home
directory from, you can add a command=
directive to the key that is used by the user backups
. This directive will only allow that command to be run when that key is used for authentication. So the first field of the key would look similar to this:
command="/path/to/sudo /path/to/rsync -az /home /local/folder" ssh-rsa AAAAB3NzaC1yblahblahblah
You can go even further and add more options to the key, such as from=myhost,no-pty,no-X11-forwarding
.
This should give you decent security and not require you to modify the underlying file system permissions. You will probably need to play with the command that you place in the authorized_keys
file until it works like you expect; it may take a bit to wrap your brain around it. The command specified in the authorized_keys
will basically override the rsync
options you will pass from the connecting host.
Lots of good information in man sshd
. You want to specifically read the AUTHORIZED_KEYS FORMAT section.
Create a read-only view of that directory in a different location. You can do that with bindfs.
Let's say that the directory in question is /home/confidential/reboot
and that you want to give read-only access to the users in the group mygroup
. Create a directory /views/mygroup/reboot
which is accessible to that group.
mkdir -p /views/mygroup/reboot
chown root:mygroup /views/mygroup
chmod 750 /views/mygroup
Create the read-only view with bindfs
. The bindfs process must have the permission to read the files and to access the mount point; here you would presumably run it as root.
bindfs -p a-w /home/confidential/reboot /views/mygroup/reboot
If the files under /home/confidential/reboot
are not readable by the users in mygroup
and you want to make them so, change the permissions specification to -p a=rX
.
To create the read-only view at boot time, add it to /etc/fstab
:
bindfs#/home/confidential/reboot /views/mygroup/reboot fuse perms=a=rX
Best Answer
You should set necessary directory permissions. For directories they are:
For files the situation is similar, it's quite obvious, so you can handle it on your own.
Numeric these permissions:
To edit permissions use
chmod
. Usage:chmod xyz <file or directory>
Example:
jack and jack's group will have read+write access to /home/jack and all it's sub-directories. The rest will have only read access.
-R
option here used to recursively set permissions.Other example:
will give jack full access to
/home/jack/video
directory. See also:chown
,chgrp
for changing owner and owning group.