I can't remove administrator rights

kerogaz

kerogaz

I can't remove administrator rights from a newly added user using the command pw user mod ii -G '' The user freely enters other people's directories and reads everything there. I added him without administrator rights

vipw :
1002:1002::0:0:User &:/home/ii:/bin/sh
 
What administrator privileges? There's no such thing on UNIX.

kerogaz said:
The user freely enters other people's directories and reads everything there.
Click to expand...
Has nothing to do with "administrator" privileges. User home directories typically have 755 permissions. That means the 'other' group has read/execute access. The 'other' group includes everyone and everything.

docs.freebsd.org

Chapter 3. FreeBSD Basics

Basic commands and functionality of the FreeBSD operating system
docs.freebsd.org docs.freebsd.org
 
Hmmm ...
How can I make it so that one user cannot enter someone else's directory?Otherwise, it turns out that one user calmly copies files to another user.
In Linux, for example, initially the user cannot enter another user's directory
 
SirDice said:
What administrator privileges? There's no such thing on UNIX.


Has nothing to do with "administrator" privileges. User home directories typically have 755 permissions. That means the 'other' group has read/execute access. The 'other' group includes everyone and everything.

docs.freebsd.org

Chapter 3. FreeBSD Basics

Basic commands and functionality of the FreeBSD operating system
docs.freebsd.org docs.freebsd.org
Click to expand...
wheel
## User privilege specification
##
root ALL=(ALL:ALL) ALL
1 ALL=(ALL:ALL) ALL
 
I have NAT on a server with FreeBSD for 12 years and sometimes I look there to change script rules of firewall. I still have unbound running there. I don't need anything else.But I constantly work on Arch Linux that's why I resort to the services of the forum
 
Well, in general, I found a Solomon solution: in order not to bother with the rights to user directories, I moved my files to the root directory
 
What you first need to understand would be that:
  • root is the only user that can do everything the Unix'ish base OS itself can. Even if file flag such as SCHG hesitate to obbey root, root can change the flags.
  • wheel is the only group that the member belonging to can su to root.
  • So NO user who are NOT required/authoritated to do administrative task that only root can do SHALL NOT belong to wheel, regardless primary and member group.
These are not enough precise. But need to know at the first place.
In the real world including ports and programs in the wild, more things could affect and could modify part of the behavior above (security/sudo, security/doas, sysutils/polkit, ...).
 
kerogaz said:
In Linux, for example, initially the user cannot enter another user's directory
Click to expand...
On ubuntu 24.04 it's because the user home directory created by adduser has no "other" permissions, basically what you get if you run the command SirDice has in #9.

It was not always this way, typical home directory permission was other having read (r) and execute (x).
There is a "-M" option that sets the mode on the created home directory 0750 gives user rwx, group=rx, other=none, you may also be able to configure it globally in /etc/adduser.conf
 
Looks like adduser on Ubuntu 24.04 they have permissions for the directory defaulting to 0750 in the code itself with FreeBSD defaulting to 0755.
Not sure exactly when they made this change (some info implies maybe 21.04) but it may be one of those "reasonable defaults" for multi user systems.
 
OP it sounds like you are talking about files on the FreeBSD server, is that correct? There are multiple user accounts on that server with home directories?
If so I think a more correct solution is to have someone with sudo/su privileges set at least your user directory to mode 0750. Not sure if you can do that, it would be login to your home directory then cd .. to /home and chmod -R o-rwx /home/yourusername. Not sure if that would modify something in /home or just on your /home/username
 
Meet me at Railway One we have to check out a valve in a tank that is about 140F. My clothes were totally soaked when I got out. Mind over matter.
 
Let's all stay friendly, no need to rise the tension.

kerogaz said:
The user freely enters other people's directories and reads everything there.
Click to expand...
If you don't want the users have access to other users home directory, set the users home directory permission only to the user who owns the directory.

Example:
Code: 
# ls -l
total 43
drwxr-xr-x  2 anne  anne  9 Jul  1 16:54 anne
drwxr-xr-x  2 betty betty 9 Jul  1 16:54 betty
drwxr-xr-x  2 carl  carl  9 Jul  1 16:54 carl
drwxr-xr-x  2 donna donna 9 Jul  1 16:54 donna
drwxr-xr-x  2 erik  erik  9 Jul  1 16:54 erik
In this setup all users can access other users home directory.

Change permissions so that only the user who owns the directory has access (see chmod(8) MODES for details).
Code: 
# chmod  700 *

# ls -l
total 43
drwx------  2 anne  anne  9 Jul  1 16:54 anne
drwx------  2 betty betty 9 Jul  1 16:54 betty
drwx------  2 carl  carl  9 Jul  1 16:54 carl
drwx------  2 donna donna 9 Jul  1 16:54 donna
drwx------  2 erik  erik  9 Jul  1 16:54 erik
These permissions grant only the user who owns the directory to enter (except "root" user).

For the next users to be created, use for pw(8) the -M 700 option, and for adduser(8) when asked at "Home directory permissions: 700".

kerogaz said:
Well, in general, I found a Solomon solution: in order not to bother with the rights to user directories, I moved my files to the root directory
Click to expand...
Note that the root directory grants all users in the "wheel" group" permission to enter the directory
Rich (BB code): 
#  ls -ld /root
drwxr-x---  17 root wheel 31 Jul  1 11:17 /root
 
You must log in or register to reply here.
Back
Top