SearchFile Permissions
| Action | --- | r-- | -w- | --x | rw- | r-x | -wx | rwx | r-s |
| read - cat file | no | yes | no | no | yes | yes | no | yes | |
| write - ls /tmp >> file | no | no | yes | no | yes | no | yes | yes | |
| write - ls /tmp > file | no | no | yes | no | yes | no | yes | yes | |
| remove file | yes* | yes* | yes | yes* | yes | yes* | yes | yes | |
| executing a script | no | no | no | no | no | yes | no | yes | yes** |
yes*: These files gave a "rm: remove write-protected file 'filename'?" error. Saying "yes" removes these files. Also performing a "rm -rf" file removes the file without any warning. The ability to remove a file is controlled at the directory level.
yes**: execute a file with permission of owner or group
Directory Permissions
| Action | --- | r-- | -w- | --x | rw- | r-x | -wx | rwx |
| cd into directory | no | no | no | yes | no | yes | yes | yes |
| ls directory | no | yes* | no | no | yes* | yes | no | yes |
| file name completion | no | yes | no | no | yes | yes | no | yes |
| create new file in dir. | no | no | no | no | no | no | yes | yes |
| read file in dir. | no | no | no | yes | no | yes | yes | yes |
| modify file in dir. | no | no | no | yes | no | yes | yes | yes |
| remove files | no | no | no | no | no | no | yes | yes |
| execute script | no | no | no | yes | no | yes | yes | yes |
ls = yes* - Only the files are listed with error. No other file attributes are able to be listed. File name completion works in these cases as well.
t - Save text attribute (sticky bit): The user may delete or modify only those files in the directory that they own or have write permission for (/tmp).
s - Set group ID: files in that directory will have the group ownership as the directory, instead of than the group of the user that created the file
If you want to have full access to a directory with 2 different users in different groups make a new group and add both users.
addgroup newgroup
adduser user1 newgroup
adduser user2 newgroup
chown root:newgroup /directory
chmod 775 /directory
You do not need to use group ID (s-Flag).
You can use these commands to set 755 on directories and 644 on files
find -type f -exec chmod 644 {} \;
find -type d -exec chmod 755 {} \;
[ view entry ] ( 1110 views ) | print article
apt-get install scponly
gunzip /usr/share/doc/scponly/setup_chroot/setup_chroot.sh.gz
chmod 755 /usr/share/doc/scponly/setup_chroot/setup_chroot.sh
cd /usr/share/doc/scponly/setup_chroot/
./setup_chroot.sh /home/USERNAME USERNAME RELATIVE_WRITEABLE_DIR
cp /dev/null /home/USERNAME/dev
maybe cp /etc/groups /home/USERNAME/etc
HINT: login via ssh is not possible BUT PORTFORWARDING
[ view entry ] ( 692 views ) | print article
chroot a user logging in via ssh
apt-get install libpam-chroot
less /usr/share/doc/libpam-chroot/examples/README.example
/usr/share/doc/libpam-chroot/examples/setup-chrootdir-shell.sh
/etc/security/chroot.conf:
+USERNAME /var/chroot/sshd/home/USERNAME
/etc/pam.d/login:
+session required pam_chroot.so
To copy all linked libs (but not libs loaded at runtime) of a programm to our chroot
ldd /usr/bin/pprogram | awk '{if ($3 ~ /^[^ (]/) print $3}' | \
cpio -pdvuL $CHROOTDIR[ view entry ] ( 538 views ) | print article
<<First <Back | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 |