Help with permissions

[Jcb1974]

All,

I've got a number of students who can access one another's folders. This is, of course, bad.

root@topeka:/store/homes/hs/students # getfacl zunigab
# file: zunigab
# owner: 600346
# group: wheel
        group:2029:r-x---a-R-c--s:fd----:allow
    user:sysbackup:r-x---a-R-c--s:fd----:allow
            owner@:rwxp--aARWcCos:------:allow
            group@:rwxp--a-R-c--s:------:allow
         everyone@:rwxp--a-R-c--s:------:allow

I just want the folder owner to be able to access the folder, that's it. I have little experience with ACL's. Can someone help me?

Warmest regards,

Joel

 

[ShelLuser]

Re: Help with permissions...

If you don't have experience with ACL's then why use them?

In a scenario where only the user should be able to access his home directory I'd simply use chmod to set the permission bits. For example set them to something like 750. When keeping your current situation in mind where the UID is set to the actual user and the GID is set to wheel you don't even need that extra sysbackup user; just make him part of the wheel group and he'll be able to access the directory.

Which brings me to that subject.. Although doable I'd advise against using a non-privileged account for making backups, especially when it comes to home directories. The problem here is that although sysbackup might be able to access the directory itself; this does not automatically give him access to everything beyond. Unlike a Windows environment the permissions do not "flow through".

In other words; it's quite possible for a user to create a new file which ends up being inaccessible for the sysbackup user. And that can compromise your backup strategy quite drastically.

 

[Jcb1974]

@ShelLuser,

Thanks so much for responding. I inherited the position and am out of my depth, but learning fast. So I can strip ACL's and chmod everything 750? I have over 900 high school students, (about the same number of middle school students) will I have to touch each of them individually, or is there a way to automate this? Thanks again! (I don't even know who sysbackup is. I presumed it was a user my predecessor created for a cron job.)

 

[ShelLuser]

Considering that you inherited this stuff I'd first make sure that you know what's running on it. This is just an assumption, but that sysbackup user name makes me suspect that account to be used for making backups. Well, obviously you don't want to risk creating a situation where you're effectively endangering the consistency of your backups.

As to your question; basically anything can be automated in a Unix environment, but whether it's doable or not depends on the setup. For example; if all students have their directories located in one home directory then it'll be a lot easier than when you have them more separated.

Under normal circumstances you should be able to either issue a # chmod 750 * in the /home directory (thus assuming everything is located under /home) but if the amount of entries is too much then you may need to apply those settings on a per-directory basis. That can be done using a so called "for ... next" or "for ... each" loop (I often refer to all of those as "for ... next" because it's easy to understand and commonly recognized by anyone who has used Basic).

In a normal situation (so where the root user has the C Shell assigned to it) you could use something in the likes of:

/home # foreach a (*)
foreach? chmod 750 $a
foreach? end
/home #

This tells the C shell to go over each entry in the /home directory and assign it to the variable a. Then you use chmod to apply the value of 750 to the variable a which gets substituted with the name of one of the directory entries in /home.

But, as mentioned above, be very careful when issuing commands like these and be sure that this is what you're after.

 

[Jcb1974]

Thanks again @ShellLuser ever so much. The setup is similar to what you describe, our five schools broken out into a single homes directory, which is then subdivided into our various schools, with staff and student directories. I am confident that I can do as you prescribe without impacting anything. It can only get better from here.

Coincidentally, I'll be moving to the Netherlands in five months, Rotterdam area. Ablasserdam actually, in Kinderdijk. Can't wait! Thanks again!

 

[Jcb1974]

How would I just strip the ACL's from the folders/files? It seems it's creating more of a problem than it solved. I didn't put them in place, my predecessor did, and I don't see that they serve a purpose. I presume this would be done with a setfacl command? Or would I just delete the acl_file?

 

[ShelLuser]

How would I just strip the ACL's from the folders/files?

As always in situations like this; start by turning to the setfacl(1) manual page. The -b option looks quite useful here.

But as I mentioned earlier simply applying a permission bit will also remove these entries. At least that's what I see happening on ZFS, I can't say for sure if this behaviour would be different on UFS (but I doubt it):

smtp2:/home/peter/temp $ ls -lo check
-rwxr-x---  1 peter  peter  - 252 Nov  4 16:50 check
smtp2:/home/peter/temp $ getfacl check
# file: check
# owner: peter
# group: peter
            owner@:rwxp--aARWcCos:------:allow
            group@:r-x---a-R-c--s:------:allow
         everyone@:------a-R-c--s:------:allow
smtp2:/home/peter/temp $ setfacl -m g:wheel:rwx::allow check
smtp2:/home/peter/temp $ getfacl check
# file: check
# owner: peter
# group: peter
=>       group:wheel:rwx-----------:------:allow
            owner@:rwxp--aARWcCos:------:allow
            group@:r-x---a-R-c--s:------:allow
         everyone@:------a-R-c--s:------:allow
smtp2:/home/peter/temp $ chmod 750 check
smtp2:/home/peter/temp $ getfacl check
# file: check
# owner: peter
# group: peter
            owner@:rwxp--aARWcCos:------:allow
            group@:r-x---a-R-c--s:------:allow
         everyone@:------a-R-c--s:------:allow

 

[SirDice]

This one quite concerns me actually:

everyone@:rwxp--a-R-c--s:------:allow

That says that everyone has, not only read access, but also write access to anyone else's home directory. Not a situation you want to keep.

It's not a 'big' ACL. The ACL consists of permissions for the sysbackup user, read access for anyone in the group 2029(?) and the 'normal' UNIX permissions. So simply setting the home directories to 700 should prevent users from reading and writing each other's home directory. You could add read access for the group but since it's set to wheel it probably won't make a lot of difference. Also find out what group ID 2029 is and who's a member of it. Those people have read access to the home directories.

 

[Jcb1974]

Group 2029 is the "Students" group for the High School. Which, technically speaking, no one student should even have read access to any other students network share. Only faculty staff should. Thanks for the heads up.