Problem with groups and filemanager

Got problems with your B2 or B3? Share and get helped!
Post Reply
peter
Posts: 26
Joined: 07 Oct 2008, 09:35
Location: the Netherlands

Problem with groups and filemanager

Post by peter » 16 Oct 2008, 18:59

I added a new user guest in a new group guest via the shell.
I executed a chmod o-rwx for all directories under /home except guest and storage.
When using the shell, everything worked as expected. User guest could only enter /home/guest and /home/storage.
Unfortunately, via the web interface (filemanager) user guest could read all directories under /home and enter the first directory level. Which means it was still possible to see the files and directories under /home/someone.

What did I do wrong?

ls -l /home
drwxr-x--- 2 admin admin 4096 2008-10-03 23:57 admin
drwxr-xr-x 4 guest guest 4096 2008-10-17 00:17 guest
drwxr-x--- 4 someone users 4096 2008-10-07 23:21 someone
drwx------ 2 root root 16384 2008-10-07 23:52 lost+found
drwxrwxrwx 6 root users 4096 2008-10-07 22:09 storage
drwxrwx--- 4 www-data users 4096 2008-10-07 23:53 web

Peter

jonte
Posts: 65
Joined: 05 Nov 2008, 11:52

Post by jonte » 10 Nov 2008, 14:51

Hi all.
First post.
I've followed the discussions in the Excito forum for about a week (since I bought BubbaTwo)

I'm in the process of doing somehting similar to what Peter mentioned.

Creating a "Guest" account with limited access to shared files on the BubbaTwo.

Although instead of allowing "guest" to access /home/storage, I limit guest's access to a folder called /home/share (guests's home folder). This is to limit guest's access to family pictures stored in /home/storage for instance. But still allow members of users to access /home/storage with chmod 770

Guest-account is not a part of users-group, only part of guest-group.
/home/share belongs to guest-group, rather than users

All home folders of users are chmod 700. For some reason guest will have access to users folders with 770 or equivalent, as long as it's not 0 via webinterface, even though it's not a member of group users.

Guest home folder is 777.

Peters problem remains. User guest can access all of users groups folders via web-interface, even though it's not a member of this group. FTP-access works as planned, that is limited access to all 770-folders belonging to users-group. Shell access is turned off for guest.

Any thoughts?
I'd say the evidence points to Bubba Twos webinterface somehow. Maybe the webadmin interface recognizes all users as part of group users?

------
Another thing, for Firefly to work properly, I added user mt-daapd (running Firefly) to users group (to grant access to /home/storage) (user mt-daapd still a member of nogroup), is this maybe a security hazard? Is it possible to use mt-daapd user account to access information on BubbaTwo from shell/ftp?

Thanks
Jonathan

peter
Posts: 26
Joined: 07 Oct 2008, 09:35
Location: the Netherlands

Post by peter » 07 Feb 2009, 13:49

I upgraded to version 1.1.2 today (7-feb-2009).
After that I tested the guest account issue again.
Unfortunately it still isn't fixed: user guest can still access the files as if it was a member of group "users".

In the previous version I made some small changes in the file backend.pl.
I could not locate the same functions in Bubba version 1.1.2. but after some searching I found the new location of the files I had modified before.

Now I had to modify two files (exactly the same modification in both files):
/usr/share/perl5/Bubba.pm
and
/usr/share/perl5/auto/Bubba/su.al
(su.al is derived from Bubba.pl with AutoSplit)

Inside these files look for subroutine su and add the code between # peters modification and # end of peters modification:

Code: Select all

sub su{
        my($name,$group)=@_;
        my $new_uid=getpwnam($name);
        if(!defined($new_uid)){
                die "Could not get uid of user [$name]";
        }
        
        # peters modification
        my($mynam, $mypw, $myuid, $mygid, $myquo) = getpwnam($name);
        $group = getgrgid($mygid);
        # end of peters modification

        my $new_gid=getgrnam($group);
        if(!defined($new_gid)){
                die "Could not get gid of group [$group]";
        }
        my $groups=getusergroups($name).$new_gid;
This makes sure that the user gets the same group as specified in the password file in stead of the hardcoded group "users".

After this modification user "admin" can't access all files of group "users".
To have access again, execute the following command via su:

Code: Select all

usermod -G users admin
Perhaps someone of Excito could have a look at my modification and add it to the next update or give me comment in case I miss something (e.g. with respect to security). If any other user sees I miss something, please let me know.

jonte
Posts: 65
Joined: 05 Nov 2008, 11:52

Post by jonte » 09 Feb 2009, 16:10

peter wrote:
Perhaps someone of Excito could have a look at my modification and add it to the next update or give me comment in case I miss something (e.g. with respect to security). If any other user sees I miss something, please let me know.
Jood job, Peter. Thanks alot!

Hope to see Excito implement your code as "official", if nothing else stands in the way.

Post Reply