/home/bill/System_maintenance/ssh/access notes.txt www.BillHowell.ca 21Dec2015 initial **************** ToDos 21Dec2015 resetting "x" file permissions : - remove "x" permissions for non-executable files - keep "x" permissions for executable files - keep "x" permissions for directories for viewing ********************* ************ 10Aug2016 create ssh directory /home.ijcnn, then add mass email list and confirmations sudo mkdir /home/IJCNN sudo group add ijcnn sudo chown bill:ijcnn /home/IJCNN sudo usermod -G ijcnn bill sudo usermod -G ijcnn astle Transfer files from /media/bill/USB DISK/Projects/Diversity : 160808 IJCNN a mass email list.txt 160808 IJCNN a mass email list part 2 confirmation.txt 160808 IJCNN a mass email list part 3 confirmation.txt Use FireFTP to transfer to sh /home/bill/Documents >> OK Use nemo on ssh to move the files to /home/IJCNN >> OK, but I should have FTP'd directly to /home/IJCNN!, which I did for 160808 IJCNN a mass email list part 1.txt *************** 17Dec2015 Testing of permissions for diversity_public (vanwagner) SOLVED 17Dec2015 +-----+ !!!!! IMPORTANT!! - prevent user ID from substituting for group From yesterday : . Maybe the "trailing slash" / makes the difference? . Maybe try logout bill, only use vanwagner? bill: /home/bill/diversity/batch_access.sh try . Maybe the "trailing slash" / makes the difference? for /home/diversity add : chgrp diversity_public /home/diversity/diversity_admin chgrp diversity_public /home/diversity/diversity_member chgrp diversity_public /home/diversity/diversity_public for /home/diversity/diversity_[admin,member,public] a trailing "/" : chgrp diversity_admin /home/diversity/diversity_admin/ chgrp diversity_member /home/diversity/diversity_member/ chgrp diversity_public /home/diversity/diversity_public/ bill$ sudo bash /home/bill/diversity/batch_access.sh >> OK vanwagner$ cd /home/diversity vanwagner$ ls diversity_public >> same problem : errors but lists contents vanwagner$ nemo & >> same problem - lists, but no file info nyet - wait... try chmod -R o-w "/home/diversity/diversity_public" >> nyet, same problem search : Linux "user groups" setting access controls http://www.yolinux.com/TUTORIALS/LinuxTutorialManagingGroups.html mentions Access Control Lists (ACLs)!! Ubuntu Unleased p529-533 -> for SQUID +-----+ !!!!! IMPORTANT!! - prevent user ID from substituting for group : http://unix.stackexchange.com/questions/195466/setting-multiple-groups-as-directory-owners answered Apr 21 at 20:02 TechZilla This is an extremely common problem, if I understand it accurately, and I encounter it constantly. If I used ACLs for every trivial grouping problem, I would have tons of unmanageable systems. They are only best practice when you cannot do it any other way, not for this situation. This is the method I very strongly recommend. First you need to set your umask to 002, this is so a group can share with itself. I usually create a file like /etc/profile.d/firm.sh, and then add a test command with the umask. [ $UID -gt 10000 ] && umask 002 Next you need to set the directories to their respective groups, chgrp -R FirmA /srv/svn/FirmA chgrp -R FirmB /srv/svn/FirmB chgrp -R FirmC /srv/svn/FirmC Finally you need to set the SGID bit properly, so the group will always stay to the one you set. This will prevent a written file from being set to the writer's GID. find /srv/svn/FirmA -type d -print0 | xargs -0 chmod 2775 find /srv/svn/FirmB -type d -print0 | xargs -0 chmod 2775 find /srv/svn/FirmC -type d -print0 | xargs -0 chmod 2775 find /srv/svn/FirmA -type f -print0 | xargs -0 chmod 664 find /srv/svn/FirmB -type f -print0 | xargs -0 chmod 664 find /srv/svn/FirmC -type f -print0 | xargs -0 chmod 664 Now finally if you want to prevent the directories from being even being accessed by other users. chmod 2770 /srv/svn/FirmA chmod 2770 /srv/svn/FirmB chmod 2770 /srv/svn/FirmC +-----+ Sticky bit https://www.linode.com/docs/tools-reference/linux-users-and-groups When set on a file or directory, the sticky bit, or +t mode, means that only the owner (or root) can delete the file, regardless of which users have write access to this file/directory by way of group membership or ownership. This is useful when a file or directory is owned by a group through which a number of users share write access to a given set of files. To set the sticky bit on a file named /root/sticky.txt, issue the following command: chmod +t /root/sticky.txt +-----+ 17Dec2015 11:39 - I give up for now, this is taking too much time. I am, however, making glacial progress. *************** 16Dec2015 Testing of mebsite pages - copied-over, access-controlled, +-----+ User : bill Works beautifully, in spite of changing from laptop to ssh:, links work. I didn't try to make changes, but none was in "read-only" mode Can an environmental variable be used in document links? This would make it far more portable (eg mirror sites, personal computers). +-----+ User : vanwagner Had I forgotten to add to groups via /home/bill/diversity/batch_users.sh? NO - she is a member of diversity_public Access : /home/diversity/diversity_member/ . CAN list files (should not be able to list! - change "other" to no see?) . but cannot read them /home/diversity/diversity_member/References . CANNOT list files /home/bill/ . Yikes - CAN read files (not edit) . I have to continually reset my directories just in case... Mebsite : /home/diversity/diversity_public . can see files in root, but cannot list subdirectories (oops...) . access to mebsite files was denied! (needs x(execute) access? /etc/passwd . can read, but not edit (oh-oh!) +-----+ User : vanwagner AFTER re-setting access via /home/bill/diversity/batch_access.sh vanwagner$ ls [/home/bill, /home/astle] >> OK cannot vanwagner$ ls /home/diversity >> OK can, BUT vanwagner$ ls /home/diversity/diversity_public >> strange error : "ls: cannot access /home/diversity/diversity_public/Pictures: Permission denied. >> and yet it IS listed!? vanwagner$ cd /home/diversity >> OK vanwagner$ ls >> OK vanwagner$ ls diversity_public >> same strange error : but still lists!? vanwagner$ cd diversity_public >> OOPS : Permission denied! ..Back to bill workspace added to /home/bill/diversity/batch_access.sh : chmod -R o+r /home/bill/diversity_public bill$ sudo bash /home/bill/diversity/batch_access.sh >> OK, now back to vanwagner workspace vanwagner$ cd diversity_public >> error : Permission denied >> do I need "x" access as well? bill$ ... reran batch_access.sh with x added vanwagner$ cd diversity_public >> again Permission denied logout and login vanwagner$ cd diversity_public >> still didn't work try nemo >> error : Couldn't connect to acessibility bus >> but nemo came up anyways >> nemo lists diversity_public! no permissions, info shown for files clicked on home.odt >> LibreOffice tries to start up ... >> error : access to /home/diversity/diversity_public/home.odt was denied It's too late, and I'm tired - set aside for tomorrow... Tomorrow . Maybe try logout bill, only use vanwagner? . Maybe the "trailing slash" / makes the difference? *************** 16Dec2015 FireFTP basic files to diversity_public close ssh session mkdir /home/bill/diversity $ sudo -i : . using nemo, move all files . from Toshiba user diversity_[public,member, admin] . to /home/bill/diversity/[] from FireFox, FireFTP . copy files to appropriate directories +-----+ Problem of file/directory permissions OOPS! I forgot to put myself in all GroupWare groups! after : still couldn't do : check that bill is in group:diversity_public : $ groups bill >> yes, I am a member of diversity_public try cp of ssh:bill to ssh:diverstiy_public from ssh >>using nemo - couldn't do it login as diversity_public, and set access!! >> then all public can change? - BAD! hmm, better to have diversity_member as owner, & members can read&write, create login as bill $ sudo chown -R diversity_member /home/diversity/diversity_public >> need to put OWNER & GROUP to diversity_member $ sudo chown -R diversity_member:diversity_member /home/diversity/diversity_public >> OK, but also need to change group access permissions : $ sudo chmod -R g+rw /home/diversity/diversity_public >> OK, now try to copy over ssh:bill files to /home/diversity/diversity_public nemo -> OK, it worked!! +-----+ Re-try FireFTP now! Great!! next - diversity_member, I did the same thing : $ sudo bash /home/bill/diversity/users_batch.sh which had : chgrp -R diversity_member /home/diversity/diversity_member chmod -R g+rw /home/diversity/diversity_member chmod -R o-wx /home/diversity/diversity_member >> chgrp idid't work!?!?!?? ....I won't do diversity_admin at this time, not needed for demo enddoc