I added a new user guest in a new group guest via the shell.
I executed a chmod o-rwx for all directories under /home except guest and storage.
When using the shell, everything worked as expected. User guest could only enter /home/guest and /home/storage.
Unfortunately, via the web interface (filemanager) user guest could read all directories under /home and enter the first directory level. Which means it was still possible to see the files and directories under /home/someone.
What did I do wrong?
ls -l /home
drwxr-x--- 2 admin admin 4096 2008-10-03 23:57 admin
drwxr-xr-x 4 guest guest 4096 2008-10-17 00:17 guest
drwxr-x--- 4 someone users 4096 2008-10-07 23:21 someone
drwx------ 2 root root 16384 2008-10-07 23:52 lost+found
drwxrwxrwx 6 root users 4096 2008-10-07 22:09 storage
drwxrwx--- 4 www-data users 4096 2008-10-07 23:53 web
Peter
New user's registration have been closed due to high spamming and low trafic on this forum. Please contact forum admins directly if you need an account. Thanks !
Problem with groups and filemanager
Hi all.
First post.
I've followed the discussions in the Excito forum for about a week (since I bought BubbaTwo)
I'm in the process of doing somehting similar to what Peter mentioned.
Creating a "Guest" account with limited access to shared files on the BubbaTwo.
Although instead of allowing "guest" to access /home/storage, I limit guest's access to a folder called /home/share (guests's home folder). This is to limit guest's access to family pictures stored in /home/storage for instance. But still allow members of users to access /home/storage with chmod 770
Guest-account is not a part of users-group, only part of guest-group.
/home/share belongs to guest-group, rather than users
All home folders of users are chmod 700. For some reason guest will have access to users folders with 770 or equivalent, as long as it's not 0 via webinterface, even though it's not a member of group users.
Guest home folder is 777.
Peters problem remains. User guest can access all of users groups folders via web-interface, even though it's not a member of this group. FTP-access works as planned, that is limited access to all 770-folders belonging to users-group. Shell access is turned off for guest.
Any thoughts?
I'd say the evidence points to Bubba Twos webinterface somehow. Maybe the webadmin interface recognizes all users as part of group users?
------
Another thing, for Firefly to work properly, I added user mt-daapd (running Firefly) to users group (to grant access to /home/storage) (user mt-daapd still a member of nogroup), is this maybe a security hazard? Is it possible to use mt-daapd user account to access information on BubbaTwo from shell/ftp?
Thanks
Jonathan
First post.
I've followed the discussions in the Excito forum for about a week (since I bought BubbaTwo)
I'm in the process of doing somehting similar to what Peter mentioned.
Creating a "Guest" account with limited access to shared files on the BubbaTwo.
Although instead of allowing "guest" to access /home/storage, I limit guest's access to a folder called /home/share (guests's home folder). This is to limit guest's access to family pictures stored in /home/storage for instance. But still allow members of users to access /home/storage with chmod 770
Guest-account is not a part of users-group, only part of guest-group.
/home/share belongs to guest-group, rather than users
All home folders of users are chmod 700. For some reason guest will have access to users folders with 770 or equivalent, as long as it's not 0 via webinterface, even though it's not a member of group users.
Guest home folder is 777.
Peters problem remains. User guest can access all of users groups folders via web-interface, even though it's not a member of this group. FTP-access works as planned, that is limited access to all 770-folders belonging to users-group. Shell access is turned off for guest.
Any thoughts?
I'd say the evidence points to Bubba Twos webinterface somehow. Maybe the webadmin interface recognizes all users as part of group users?
------
Another thing, for Firefly to work properly, I added user mt-daapd (running Firefly) to users group (to grant access to /home/storage) (user mt-daapd still a member of nogroup), is this maybe a security hazard? Is it possible to use mt-daapd user account to access information on BubbaTwo from shell/ftp?
Thanks
Jonathan
I upgraded to version 1.1.2 today (7-feb-2009).
After that I tested the guest account issue again.
Unfortunately it still isn't fixed: user guest can still access the files as if it was a member of group "users".
In the previous version I made some small changes in the file backend.pl.
I could not locate the same functions in Bubba version 1.1.2. but after some searching I found the new location of the files I had modified before.
Now I had to modify two files (exactly the same modification in both files):
/usr/share/perl5/Bubba.pm
and
/usr/share/perl5/auto/Bubba/su.al
(su.al is derived from Bubba.pl with AutoSplit)
Inside these files look for subroutine su and add the code between # peters modification and # end of peters modification:
This makes sure that the user gets the same group as specified in the password file in stead of the hardcoded group "users".
After this modification user "admin" can't access all files of group "users".
To have access again, execute the following command via su:
Perhaps someone of Excito could have a look at my modification and add it to the next update or give me comment in case I miss something (e.g. with respect to security). If any other user sees I miss something, please let me know.
After that I tested the guest account issue again.
Unfortunately it still isn't fixed: user guest can still access the files as if it was a member of group "users".
In the previous version I made some small changes in the file backend.pl.
I could not locate the same functions in Bubba version 1.1.2. but after some searching I found the new location of the files I had modified before.
Now I had to modify two files (exactly the same modification in both files):
/usr/share/perl5/Bubba.pm
and
/usr/share/perl5/auto/Bubba/su.al
(su.al is derived from Bubba.pl with AutoSplit)
Inside these files look for subroutine su and add the code between # peters modification and # end of peters modification:
Code: Select all
sub su{
my($name,$group)=@_;
my $new_uid=getpwnam($name);
if(!defined($new_uid)){
die "Could not get uid of user [$name]";
}
# peters modification
my($mynam, $mypw, $myuid, $mygid, $myquo) = getpwnam($name);
$group = getgrgid($mygid);
# end of peters modification
my $new_gid=getgrnam($group);
if(!defined($new_gid)){
die "Could not get gid of group [$group]";
}
my $groups=getusergroups($name).$new_gid;
After this modification user "admin" can't access all files of group "users".
To have access again, execute the following command via su:
Code: Select all
usermod -G users adminJood job, Peter. Thanks alot!peter wrote:
Perhaps someone of Excito could have a look at my modification and add it to the next update or give me comment in case I miss something (e.g. with respect to security). If any other user sees I miss something, please let me know.
Hope to see Excito implement your code as "official", if nothing else stands in the way.