Hi Greg, Thanks for the reply!
So I guess I was going in the right direction. I'd been playing with chmod and chown but not chgrp. Where I'm at now, I've removed 'other' permission on all home folders but one thing I tried was to even remove other permissions on the /home folder thinking that the user would still be able to see the subfolder owned by them but when I log in as the user I get a message saying 'Could not chdir to home directory /home/user: Permission denied' It doesn't really matter because I just set everything inside of the home folder to chmod 750 and that seems to work fine for keeping the user out of other user's folders. Are there any root folders that I should as a best practice restrict access to? like configuration files, etc. Some folders I would think need to be accessible to access libraries and such but others would only need to be accessible by root or the system. Thanks again for your help!! Ash On Thu, Mar 27, 2008 at 2:05 PM, Greg Bosch <[EMAIL PROTECTED]> wrote: > Ash: > > Set up a group like "web" (without the quotes obviously) in /etc/group > and then specify the users that should be part of the group > > for instance you might make the entry > web:x:501:user1,user2,user3 > into /etc/group > > the format of /etc/group is similar to /etc/password but has some > differences > <user_id>:<password>:<gid>:<user1>[,<user2>][,<user3>][... you get the idea] > > so the line above would set up a group "web" with no password with the > group id 501 and then include in the group user1 user2 and user3 > (Please note that user1 user2 and user3 have to already exist and the > gid must be unique) > > When you look into /etc/group you most likely find there is already a > group created for your username however no one is in it (actually you > are explicitly part of it). This is best practices as all files are > given OWN permissions, GROUP permissions and WORLD permissions. By > having your own group files you create will be owned by you and owned by > your group. You can change the group permissions however. Try the > following: > > Create a file: > # touch file > > Run the command ls -l to initially see what's created > # ls -l > > Now allow others in the group web to read it by doing a: > # chgrp web file > # chmod 540 > > Now run ls -l again to see how the commands chgrp and chmod have changed > the permissions of file > # ls -l > > That should get you started. Read the man pages for group, chgrp, chown > and chmod (adduser too if you are unfamiliar with the process of adding > a user) > > > > > -gb > > > > > > > Ashley Snelgrove wrote: > > Hi there, > > > > What is the best way to limit what a user can see in the system? If > > there are directories I don't want some users to have access to what > > is the best way to restrict that? For example, if a user has a home > > directory and is also part of a group administering a web site, all > > that is really needed is access to the home directory and the web > > folder. But because he needs access to the web folder I can't just > > chroot him in his home folder. I thought about making his home folder > > the web folder but there may be more web admins later. Is there a way > > to be selective, I guess, in what is accessible and what is not? > > > > Thanks for your help!! > > > > Ash > > _______________________________________________ > > Openbsd-newbies mailing list > > [email protected] > > http://mailman.theapt.org/listinfo/openbsd-newbies > > > > > _______________________________________________ Openbsd-newbies mailing list [email protected] http://mailman.theapt.org/listinfo/openbsd-newbies
