Re: How to setup an read-only user account for a whole server with useradd ?

On Sep 19, 12:18 pm, bu...@xxxxxxxx (Carsten Eishold) wrote:
I want to setup an user SSH/telnet account with useradd. The user should have

- read-only permissions for ALL files on the server beginning with the root directory.

- write permission for recursively all files below the directory /user/home/newuser

How do I setup the account and the permissions correctly ?

Using the standard Unix permissions and values in /etc/passwd, what
you wish to do is not possible.
In otherwords, to answer your question, you can't.

Classic Unix permissions (not ACLs) are specified at the inode level.
You only get three settings: one set of values for accesses that come
from processes who's UID matches the UID of the file, another set of
values for accesses that come from processes who's GID matches the GID
of the file, and a third set of values for accesses that come from
processes who match neither UID nor GID of the file.

A single user in Linux will have a single UID (as defined in /etc/
passwd) and one or more GID values (as defined in /etc/passwd and /etc/
groups).

To gain read access to any file, a process started by that user must
either have read access through a UID match, a GID match, or an
"other" match. As "all files" would include files that are not owned
by a specific user, you can forget about the UID match (the "Owner"
permission bits). Similar argument goes for the GID match, as any
single user is not guaranteed to belong to the group that owns the
file, and you can't arbitrarily make all files be owned by a single
group without a negative impact. So, this just leaves the "Other"
match, which, of course, matches everyone.

So, there is no combination, per file, of permission bits that would
give a single specific user read-only access to all files in the
system without giving (unspecified) others the same permissions.


.

Relevant Pages

  • Re: USB mounting automatically : users option?
    ... the current system with that UID number. ... The "git" group with GID ... all the files use that group ID and have group rwpermissions. ... You will probably want want to use set-gid directories and a umask of ...
    (Ubuntu)
  • Re: UID number and userID
    ... that smb4k is using the UID # when setting up shares rather than user name. ... Looking at the permissions on the shared resources is showing a user ... the smb4k folks. ... many config files has the old login name hardcoded. ...
    (alt.os.linux.suse)
  • Re: general daemon specific questions
    ... system level process and user level process. ... Lets start with uid. ... is special, it bypasses permissions. ... you can have a number of pre-defined setups of commands to be run. ...
    (comp.unix.shell)
  • Re: [OT] Ghost icon on server
    ... It is possible to get undeletable (using FTP) files if you create files ... The PHP created files have the Apache UID and if the ... Can you check the permissions and UID ...
    (alt.html)
  • FW: Permissions advice needed.
    ... Subject: Permissions advice needed. ... I need an executable file to be owned by a user's uid and gid so they ... make the file suid (harmless since it's already owned by ... (I have no control over the modifying program). ...
    (freebsd-questions)