web folder in bubba2 and specific access to a shared folder

Got problems with your B2 or B3? Share and get helped!
Post Reply
rewien
Posts: 127
Joined: 27 Sep 2008, 18:10

web folder in bubba2 and specific access to a shared folder

Post by rewien » 25 Jan 2009, 08:06

Hello all,

1)
How can I secure my web folder in bubbatwo, so that I can only make changes in it and that it's still accessible for my website?

Now every user that I allow on bubbatwo can access it content and delete or copy them.


2)
How can I give a shared folder on bubbatwo, access to specific users and not all users?

Thanks,

Rewien

kastrom
Posts: 13
Joined: 29 Oct 2008, 17:56

Post by kastrom » 26 Jan 2009, 16:48

I'm also interested in the answers to these questions.

/Kent

Xet
Posts: 53
Joined: 12 May 2008, 02:40

Post by Xet » 26 Jan 2009, 18:03

1) The easiest way would be to put you "unsecure" users in a special group, say "guest", and treat them as "others". You have to do the following as root.
Add a new group.

Code: Select all

groupadd guest
Let's pretend that your want to put your user "nisse" in that new group.

Code: Select all

usermod -g guest nisse
If you have created "nisse" via the web-admin, you might have to do

Code: Select all

usermod -G guest nisse
to remove him from the "users" group.

Set the correct permission to the web folder

Code: Select all

chmod o-rwx /home/web
My web-folder had permissions like that already, so you might not have to do the last step.

That's it, only members of the "users" group and the user "www-data" are now allowed to read or write the web-folder.

2) I'm not suer what you mean by "shared folder", but if it's a "windows share" you might want to look up the "valid user" directive for samba.

peter
Posts: 26
Joined: 07 Oct 2008, 09:35
Location: the Netherlands

Post by peter » 27 Jan 2009, 12:10

Xet, what you describe is correct, but still things wont work as expected when using the filemanager (web interface). See my previous post
http://forum.excito.net/viewtopic.php?t ... ight=peter

Meanwhile I discovered the problem: the web interface code uses a lot of hardcoded strings for the groupname. Instead of the actual groupname, the groupname "users" is used.

To fix this I made a few changes in the file /usr/lib/web-admin/backend.pl (although I'm not a php programmer).

Xet
Posts: 53
Joined: 12 May 2008, 02:40

Post by Xet » 27 Jan 2009, 14:40

I kinda "knew" that the web-interface would be trouble...

One thing left, beside rewriting the web-interface... trust your users... :wink:

jonte
Posts: 65
Joined: 05 Nov 2008, 11:52

Post by jonte » 28 Jan 2009, 06:25

peter wrote:Xet, what you describe is correct, but still things wont work as expected when using the filemanager (web interface). See my previous post
http://forum.excito.net/viewtopic.php?t ... ight=peter

Meanwhile I discovered the problem: the web interface code uses a lot of hardcoded strings for the groupname. Instead of the actual groupname, the groupname "users" is used.

To fix this I made a few changes in the file /usr/lib/web-admin/backend.pl (although I'm not a php programmer).
Interesting.
I contacted Excito a while ago with this errand and got an answer pretty much in line with what you described above:

(In swedish)
Jag har kollat igenom koden, och mycket riktigt, så finns en forcering
till gruppen "users" där. Skall se om det är en feature eller on det är
en relik, och återkommer då med mer information. Men troligen så kommer
vi att uppdatera backend/frontend så att grupptillhöriget är relevant.
This was a while ago, I guess the Excito-team has had more crucial things at hand than issuing this problem, maybe you (peter) can mail Excito the changes you made and they can make them official in a jiffy.
:)

rewien
Posts: 127
Joined: 27 Sep 2008, 18:10

Post by rewien » 02 Feb 2009, 17:19

Thanks for all the reply's!

But when you add a new group let say "quest". and make a new shared folder on bubba two with only the group"quest' having access to it.
Would they be able to access to folder on the network. with out the webinterface (as I read above causes problems)?

If so they would be able to access that folder also over an VPN network?

By the way is it possible to have a user in 2 groups at the same time? let say admin in the group "users" as in "guest"?

Thanks,
Rewien

rewien
Posts: 127
Joined: 27 Sep 2008, 18:10

Post by rewien » 03 Feb 2009, 17:51

how can one add or remove paswoords to the users of new user group "guest"?

thanks,
Rewien

rewien
Posts: 127
Joined: 27 Sep 2008, 18:10

Post by rewien » 06 Feb 2009, 17:20

Xet wrote:1) The easiest way would be to put you "unsecure" users in a special group, say "guest", and treat them as "others". You have to do the following as root.
Add a new group.

Code: Select all

groupadd guest
Let's pretend that your want to put your user "nisse" in that new group.

Code: Select all

usermod -g guest nisse
If you have created "nisse" via the web-admin, you might have to do

Code: Select all

usermod -G guest nisse
to remove him from the "users" group.

Set the correct permission to the web folder

Code: Select all

chmod o-rwx /home/web
My web-folder had permissions like that already, so you might not have to do the last step.

That's it, only members of the "users" group and the user "www-data" are now allowed to read or write the web-folder.

2) I'm not suer what you mean by "shared folder", but if it's a "windows share" you might want to look up the "valid user" directive for samba.
Hello Xet,

When I try to add a user that i have created from de web gui to my "extern_users" groep using the codes above nothing happens, and the created users can still view my web folder and enter de web gui normally.

this is what i typed:

usermod -g extern_users extern1

and after that:

usermod -G extern_users extern1

any idea what i'm doing wrong?

thanks,
Rewien

Xet
Posts: 53
Joined: 12 May 2008, 02:40

Post by Xet » 07 Feb 2009, 02:51

That seems strange.
Doing

Code: Select all

usermod -g extern_users extern1
should do the trick.

A few things to look up:
Is the user in both the "users" group and the "extern_users " group?

Code: Select all

groups extern1
It should display "extern1 : extern_users", not "extern1: extern_users users"

Are the permissions set as they should on the folders you want to protect?


As Peter said in a previous post, this doen't work as intended with the filemanager in the web-interface.

To answer some of your previous questions:
Yes, a user can be part of mor than one group, whouldn't make any sence in having groups otherwise.
Yes, as far as i can tell, this should work over VPN however that isn't something I have tried.

rewien
Posts: 127
Joined: 27 Sep 2008, 18:10

Post by rewien » 07 Feb 2009, 05:41

Xet wrote:That seems strange.
Doing

Code: Select all

usermod -g extern_users extern1
should do the trick.

A few things to look up:
Is the user in both the "users" group and the "extern_users " group?

Code: Select all

groups extern1
It should display "extern1 : extern_users", not "extern1: extern_users users"

Are the permissions set as they should on the folders you want to protect?


As Peter said in a previous post, this doen't work as intended with the filemanager in the web-interface.

To answer some of your previous questions:
Yes, a user can be part of mor than one group, whouldn't make any sence in having groups otherwise.
Yes, as far as i can tell, this should work over VPN however that isn't something I have tried.
Hello xet,

after:

Code: Select all

groups extern1
I get:
extern1 : extern_users

so that looks good, but "extern1" is still able to acess the web gui.
I thought that it shouldn't be able to access the home folder, since that is acessable for only the @users group?

I also created a folder called: extern_users

and configured on samba like:

[extern_users]
comment = this is the directory of extern_users
writable = yes
guest ok = no
public = no
path = /home/extern_users
force group = extern_users


so i think i would be able to access that folder only with the users in the group "extern_users" right?

thanks Xet,
Rewien

rewien
Posts: 127
Joined: 27 Sep 2008, 18:10

Post by rewien » 14 Feb 2009, 06:21

strange enough de user "extern1" can still browse through all the files and folders of the group users.

How can I fix this so extern1 with the group "extern_users" can only access folders, which is assign to "extern_users" ?

I also find out that when changing an user from the group "users" to the group "extern_users", that the user remain in de web gui, removing him from the web gui, removes him out of the "extern_users" group as well.

I tried to find a manual or howto of this on the web couldn't find any.

all help is wel come,
Rewien

peter
Posts: 26
Joined: 07 Oct 2008, 09:35
Location: the Netherlands

Post by peter » 15 Feb 2009, 03:42

To solve the problem, I changed a few files of the web interface on the system.

See my topic:
http://forum.excito.net/viewtopic.php?t=1280

rewien
Posts: 127
Joined: 27 Sep 2008, 18:10

Post by rewien » 15 Feb 2009, 16:34

peter wrote:To solve the problem, I changed a few files of the web interface on the system.

See my topic:
http://forum.excito.net/viewtopic.php?t=1280
thank you peter,

I got it working!
there's one thing left to do.
Do you know the command how to put an user in 2 groups at the same time?

let's say: admin in the groups 'users' and 'other"

thanks alot,
Rewien

peter
Posts: 26
Joined: 07 Oct 2008, 09:35
Location: the Netherlands

Post by peter » 15 Feb 2009, 17:11

By default user "admin" is a member of group "admin".
To add user "admin" also in group "users" you can use the following command:

Code: Select all

usermod -G users admin
The -G must be the capital letter G: -g means something else.
This command can be repeated for more groups for the same user,
or a list of groups can be given (separate the groups by a comma).
Look at

Code: Select all

man usermod
for more details.

Post Reply