Permissions 

File Permissions


Action --- r-- -w- --x rw- r-x -wx rwx r-s
read - cat file no yes no no yes yes no yes
write - ls /tmp >> file no no yes no yes no yes yes
write - ls /tmp > file no no yes no yes no yes yes
remove file yes* yes* yes yes* yes yes* yes yes
executing a script no no no no no yes no yes yes**

yes*: These files gave a "rm: remove write-protected file 'filename'?" error. Saying "yes" removes these files. Also performing a "rm -rf" file removes the file without any warning. The ability to remove a file is controlled at the directory level.
yes**: execute a file with permission of owner or group

Directory Permissions


Action --- r-- -w- --x rw- r-x -wx rwx
cd into directory no no no yes no yes yes yes
ls directory no yes* no no yes* yes no yes
file name completion no yes no no yes yes no yes
create new file in dir. no no no no no no yes yes
read file in dir. no no no yes no yes yes yes
modify file in dir. no no no yes no yes yes yes
remove files no no no no no no yes yes
execute script no no no yes no yes yes yes

ls = yes* - Only the files are listed with error. No other file attributes are able to be listed. File name completion works in these cases as well.

t - Save text attribute (sticky bit): The user may delete or modify only those files in the directory that they own or have write permission for (/tmp).

s - Set group ID: files in that directory will have the group ownership as the directory, instead of than the group of the user that created the file


If you want to have full access to a directory with 2 different users in different groups make a new group and add both users.

addgroup newgroup
adduser user1 newgroup
adduser user2 newgroup

chown root:newgroup /directory
chmod 775 /directory

You do not need to use group ID (s-Flag).


You can use these commands to set 755 on directories and 644 on files

find -type f -exec chmod 644 {} \;
find -type d -exec chmod 755 {} \;


[ view entry ] ( 1072 views )   |  print article
scponly 
apt-get install scponly

gunzip /usr/share/doc/scponly/setup_chroot/setup_chroot.sh.gz
chmod 755 /usr/share/doc/scponly/setup_chroot/setup_chroot.sh
cd /usr/share/doc/scponly/setup_chroot/
./setup_chroot.sh /home/USERNAME USERNAME RELATIVE_WRITEABLE_DIR

cp /dev/null /home/USERNAME/dev

maybe cp /etc/groups /home/USERNAME/etc


HINT: login via ssh is not possible BUT PORTFORWARDING


[ view entry ] ( 664 views )   |  print article
ssh - chroot 
chroot a user logging in via ssh

apt-get install libpam-chroot

less /usr/share/doc/libpam-chroot/examples/README.example

/usr/share/doc/libpam-chroot/examples/setup-chrootdir-shell.sh

/etc/security/chroot.conf:
+USERNAME   /var/chroot/sshd/home/USERNAME

/etc/pam.d/login:
+session    required   pam_chroot.so


To copy all linked libs (but not libs loaded at runtime) of a programm to our chroot

ldd /usr/bin/pprogram | awk '{if ($3 ~ /^[^ (]/) print $3}' | \
cpio -pdvuL $CHROOTDIR


[ view entry ] ( 502 views )   |  print article

<<First <Back | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 |