Re: [hlds_linux] linux and chmodding

2010-04-15 Thread kama 

Hi!

If I understand correctly you want to be able to control what files a user
can update. And you could fix that with either ACL or groups.

Let me try to explain the way it should be done with groups.

users:
  games- the user that owns the service
  client   - the user that should only be able to update certain files.

groups:
  games- the group for user games
  client   - the group for uesr client

path:
  /games/cs01

In /etc/groups we specify that the user client are a member of the group
games.
  games:*:13:client

Change so games owns all the files
$ chown -R games:games /games/cs01
$ cd /games/cs01

update all files with 600 ( -rw--- )
$ find . -type f -exec chmod 600 {} \;

update all directories to 750 ( drwxr-x--- )
NOTE: r-x must be available on the group so that all the members of the
group games (ie: the user client) can list the files.
$ find . -type d -exec chmod 750 {} \;

Set the executable bit on the binaries ( will become -rwx-- )
$ chmod +ux ./hlds_amd ./hlds_i486 ./hlds_i686 ./hlds_run ./hltv

Now the user games should be able to edit, update files and run the
server. While noone else (exept root) can edit or run it.

Now you need to go through each file/dir that needs to be editable or
writable for the user 'client'
$ chmod +grw 

ie: if the user should be able to edit server.cfg
$ chmod +grw cstrike/server.cfg

I dont know if steam will change the file permissions when updating the
server files. So this might be an issue. You just have to test that. Maybe
steam uses the file mask to set the files permissions.

Access Control List (ACL): (if available)

ACL you can specify specific files that the user 'client' can access
without changing any of the actual files permissions. It is way more
powerful than just changing groups.

This simple guide might explain how it works abit. Its for FreeBSD but the
logic is (or should be) the same. Output might differ abit.

http://www.bsdguides.org/guides/freebsd/security/acl_permissions.php

/Bjorn

On Wed, 14 Apr 2010, daniel jokiaho wrote:

> User that?s runs the server: userrun belongs to group grouprun, has
> only write acess to some dirs.
> User that?s updates the server: userupdate belongs to group
> groupupdate and has write acess to all dirs.
>
> Have tried to understand the different manuals and tutorials online.
> Does this seem okey?
>
>
> groupadd grouprun
> useradd -G grouprun userrun
> passwd userrun
>
> groupadd groupupdate
> useradd -G groupupdate userupdate
> passwd userupdate
>
> Goto dir:
> chown userrun:groupupdate ?R  .
>
> chmod u+rwX -R . userupdate
> chmod ugo-r -R . userrun
>
> Goto log/other writable dirs:
> chmod u+rwX -R . userrun
>
>
> //Daniel
>
>
>
>
>
>
>
>
>
> 2010/4/13 Tomé Duarte :
> > Hello Daniel,
> >
> > You should be able to do that by creating:
> >  - users: userRunGS & userUpdateGS
> >  - groups: groupUpdateGS - add userUpdateGS to this one
> >
> > Then change ownership of every dir/file to userRunGS:groupUpdateGS.
> > After that, change permissions on every dir/file to:
> >  - remove userRunGS write permission, leaving it only on the files you want
> >  - set writable permission for group groupUpdateGS
> >
> > That way, you can:
> >  - run the gameserver with userRunGS; exploits can't write to any file you
> > don't want
> >  - update the gameserver with userUpdateGS; since he belongs to
> > groupUpdateGS there won't be any permission problems.
> >
> > If you have any questions on how to add this, I suggest reading the
> > following man pages: chown(1), chmod(1), groupadd(8) and useradd(8). For
> > reference, this
> > might come in
> > handy too.
> >
> > Cheers,
> > Tomé Duarte
> >
> > Connect with me via:
> > Twitter: http://twitter.com/tomeduarte
> > LinkedIn: http://www.linkedin.com/in/tduarte
> >
> >
> > On 13 April 2010 15:54, Cc2iscooL  wrote:
> >
> >> Because there are exploits that allow clients to upload to the server
> >> directories.
> >>
> >> To op, there's plenty of stuff if you google around for chmod.
> >>
> >> On Apr 13, 2010 11:49 AM, "f0rkz"  wrote:
> >>
> >> Sounds like a prickly spider web to me.  Why do you need UserX and
> >> UserY, why not just have a user that writes and runs.
> >>
> >> -f0rkz
> >>
> >>
> >> On Tue, 2010-04-13 at 17:29 +0200, Daniel Nilsson wrote:
> >> > Have read some info about how to host a ...
> >> ___
> >> To unsubscribe, edit your list preferences, or view the list archives,
> >> please visit:
> >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux
> >>
> > ___
> > To unsubscribe, edit your list preferences, or view the list archives, 
> > please visit:
> > http://list.valvesoftware.com/mailman/listinfo/hlds_linux
> >
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives, please 
> visit:
> http://list.valvesoftware.com/mail

Re: [hlds_linux] linux and chmodding

2010-04-14 Thread David A. Parker 
The downside to doing it this way is that autoupdate will not work. 
When updates are released, you'll need to kill the server and run the 
update process as userX, and then start up the server again as userY. 
If you use the same user for running and updating, you can simply 
restart the server and let the autoupdater do its thing.

 - Dave

Daniel Nilsson wrote:
> Cool!
> 
> Thanx for an good explanation :)
> 
> //Daniel
> 
> Tomé Duarte skrev 2010-04-13 18:45:
>> Hello Daniel,
>>
>> You should be able to do that by creating:
>>- users: userRunGS&  userUpdateGS
>>- groups: groupUpdateGS - add userUpdateGS to this one
>>
>> Then change ownership of every dir/file to userRunGS:groupUpdateGS.
>> After that, change permissions on every dir/file to:
>>- remove userRunGS write permission, leaving it only on the files you want
>>- set writable permission for group groupUpdateGS
>>
>> That way, you can:
>>- run the gameserver with userRunGS; exploits can't write to any file you
>> don't want
>>- update the gameserver with userUpdateGS; since he belongs to
>> groupUpdateGS there won't be any permission problems.
>>
>> If you have any questions on how to add this, I suggest reading the
>> following man pages: chown(1), chmod(1), groupadd(8) and useradd(8). For
>> reference, this
>> might come in
>> handy too.
>>
>> Cheers,
>> Tomé Duarte
>>
>> Connect with me via:
>> Twitter: http://twitter.com/tomeduarte
>> LinkedIn: http://www.linkedin.com/in/tduarte
>>
>>
>> On 13 April 2010 15:54, Cc2iscooL  wrote:
>>
>>
>>> Because there are exploits that allow clients to upload to the server
>>> directories.
>>>
>>> To op, there's plenty of stuff if you google around for chmod.
>>>
>>> On Apr 13, 2010 11:49 AM, "f0rkz"  wrote:
>>>
>>> Sounds like a prickly spider web to me.  Why do you need UserX and
>>> UserY, why not just have a user that writes and runs.
>>>
>>> -f0rkz
>>>
>>>
>>> On Tue, 2010-04-13 at 17:29 +0200, Daniel Nilsson wrote:
>>>  
 Have read some info about how to host a ...

>>> ___
>>> To unsubscribe, edit your list preferences, or view the list archives,
>>> please visit:
>>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux
>>>
>>>  
>> ___
>> To unsubscribe, edit your list preferences, or view the list archives, 
>> please visit:
>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux
>>
> 
> 
> ___
> To unsubscribe, edit your list preferences, or view the list archives, please 
> visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds_linux

-- 

Dave Parker
Systems Administrator
Utica College
Integrated Information Technology Services
(315) 792-3229
Registered Linux User #408177


___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux

Re: [hlds_linux] linux and chmodding

2010-04-14 Thread daniel jokiaho 
User that’s runs the server: userrun belongs to group grouprun, has
only write acess to some dirs.
User that’s updates the server: userupdate belongs to group
groupupdate and has write acess to all dirs.

Have tried to understand the different manuals and tutorials online.
Does this seem okey?


groupadd grouprun
useradd -G grouprun userrun
passwd userrun

groupadd groupupdate
useradd -G groupupdate userupdate
passwd userupdate

Goto dir:
chown userrun:groupupdate –R  .

chmod u+rwX -R . userupdate
chmod ugo-r -R . userrun

Goto log/other writable dirs:
chmod u+rwX -R . userrun


//Daniel









2010/4/13 Tomé Duarte :
> Hello Daniel,
>
> You should be able to do that by creating:
>  - users: userRunGS & userUpdateGS
>  - groups: groupUpdateGS - add userUpdateGS to this one
>
> Then change ownership of every dir/file to userRunGS:groupUpdateGS.
> After that, change permissions on every dir/file to:
>  - remove userRunGS write permission, leaving it only on the files you want
>  - set writable permission for group groupUpdateGS
>
> That way, you can:
>  - run the gameserver with userRunGS; exploits can't write to any file you
> don't want
>  - update the gameserver with userUpdateGS; since he belongs to
> groupUpdateGS there won't be any permission problems.
>
> If you have any questions on how to add this, I suggest reading the
> following man pages: chown(1), chmod(1), groupadd(8) and useradd(8). For
> reference, this
> might come in
> handy too.
>
> Cheers,
> Tomé Duarte
>
> Connect with me via:
> Twitter: http://twitter.com/tomeduarte
> LinkedIn: http://www.linkedin.com/in/tduarte
>
>
> On 13 April 2010 15:54, Cc2iscooL  wrote:
>
>> Because there are exploits that allow clients to upload to the server
>> directories.
>>
>> To op, there's plenty of stuff if you google around for chmod.
>>
>> On Apr 13, 2010 11:49 AM, "f0rkz"  wrote:
>>
>> Sounds like a prickly spider web to me.  Why do you need UserX and
>> UserY, why not just have a user that writes and runs.
>>
>> -f0rkz
>>
>>
>> On Tue, 2010-04-13 at 17:29 +0200, Daniel Nilsson wrote:
>> > Have read some info about how to host a ...
>> ___
>> To unsubscribe, edit your list preferences, or view the list archives,
>> please visit:
>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux
>>
> ___
> To unsubscribe, edit your list preferences, or view the list archives, please 
> visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds_linux
>

___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux

Re: [hlds_linux] linux and chmodding

2010-04-13 Thread Daniel Nilsson 
Cool!

Thanx for an good explanation :)

//Daniel

Tomé Duarte skrev 2010-04-13 18:45:
> Hello Daniel,
>
> You should be able to do that by creating:
>- users: userRunGS&  userUpdateGS
>- groups: groupUpdateGS - add userUpdateGS to this one
>
> Then change ownership of every dir/file to userRunGS:groupUpdateGS.
> After that, change permissions on every dir/file to:
>- remove userRunGS write permission, leaving it only on the files you want
>- set writable permission for group groupUpdateGS
>
> That way, you can:
>- run the gameserver with userRunGS; exploits can't write to any file you
> don't want
>- update the gameserver with userUpdateGS; since he belongs to
> groupUpdateGS there won't be any permission problems.
>
> If you have any questions on how to add this, I suggest reading the
> following man pages: chown(1), chmod(1), groupadd(8) and useradd(8). For
> reference, this
> might come in
> handy too.
>
> Cheers,
> Tomé Duarte
>
> Connect with me via:
> Twitter: http://twitter.com/tomeduarte
> LinkedIn: http://www.linkedin.com/in/tduarte
>
>
> On 13 April 2010 15:54, Cc2iscooL  wrote:
>
>
>> Because there are exploits that allow clients to upload to the server
>> directories.
>>
>> To op, there's plenty of stuff if you google around for chmod.
>>
>> On Apr 13, 2010 11:49 AM, "f0rkz"  wrote:
>>
>> Sounds like a prickly spider web to me.  Why do you need UserX and
>> UserY, why not just have a user that writes and runs.
>>
>> -f0rkz
>>
>>
>> On Tue, 2010-04-13 at 17:29 +0200, Daniel Nilsson wrote:
>>  
>>> Have read some info about how to host a ...
>>>
>> ___
>> To unsubscribe, edit your list preferences, or view the list archives,
>> please visit:
>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux
>>
>>  
> ___
> To unsubscribe, edit your list preferences, or view the list archives, please 
> visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds_linux
>


___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux

Re: [hlds_linux] linux and chmodding

2010-04-13 Thread Tomé Duarte 
Hello Daniel,

You should be able to do that by creating:
  - users: userRunGS & userUpdateGS
  - groups: groupUpdateGS - add userUpdateGS to this one

Then change ownership of every dir/file to userRunGS:groupUpdateGS.
After that, change permissions on every dir/file to:
  - remove userRunGS write permission, leaving it only on the files you want
  - set writable permission for group groupUpdateGS

That way, you can:
  - run the gameserver with userRunGS; exploits can't write to any file you
don't want
  - update the gameserver with userUpdateGS; since he belongs to
groupUpdateGS there won't be any permission problems.

If you have any questions on how to add this, I suggest reading the
following man pages: chown(1), chmod(1), groupadd(8) and useradd(8). For
reference, this
might come in
handy too.

Cheers,
Tomé Duarte

Connect with me via:
Twitter: http://twitter.com/tomeduarte
LinkedIn: http://www.linkedin.com/in/tduarte


On 13 April 2010 15:54, Cc2iscooL  wrote:

> Because there are exploits that allow clients to upload to the server
> directories.
>
> To op, there's plenty of stuff if you google around for chmod.
>
> On Apr 13, 2010 11:49 AM, "f0rkz"  wrote:
>
> Sounds like a prickly spider web to me.  Why do you need UserX and
> UserY, why not just have a user that writes and runs.
>
> -f0rkz
>
>
> On Tue, 2010-04-13 at 17:29 +0200, Daniel Nilsson wrote:
> > Have read some info about how to host a ...
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds_linux
>
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux

Re: [hlds_linux] linux and chmodding

2010-04-13 Thread Zuko 
http://forums.alliedmods.net/showthread.php?t=109453

2010/4/13 Cc2iscooL :
> Because there are exploits that allow clients to upload to the server
> directories.
>
> To op, there's plenty of stuff if you google around for chmod.
>
> On Apr 13, 2010 11:49 AM, "f0rkz"  wrote:
>
> Sounds like a prickly spider web to me.  Why do you need UserX and
> UserY, why not just have a user that writes and runs.
>
> -f0rkz
>
>
> On Tue, 2010-04-13 at 17:29 +0200, Daniel Nilsson wrote:
>> Have read some info about how to host a ...
> ___
> To unsubscribe, edit your list preferences, or view the list archives, please 
> visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds_linux
>



-- 
Żuko

___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux

Re: [hlds_linux] linux and chmodding

2010-04-13 Thread Cc2iscooL 
Because there are exploits that allow clients to upload to the server
directories.

To op, there's plenty of stuff if you google around for chmod.

On Apr 13, 2010 11:49 AM, "f0rkz"  wrote:

Sounds like a prickly spider web to me.  Why do you need UserX and
UserY, why not just have a user that writes and runs.

-f0rkz


On Tue, 2010-04-13 at 17:29 +0200, Daniel Nilsson wrote:
> Have read some info about how to host a ...
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux

Re: [hlds_linux] linux and chmodding

2010-04-13 Thread f0rkz 
Sounds like a prickly spider web to me.  Why do you need UserX and
UserY, why not just have a user that writes and runs.

-f0rkz

On Tue, 2010-04-13 at 17:29 +0200, Daniel Nilsson wrote:
> Have read some info about how to host a server on a secure manner.
> 
> 1. Do not run server as root
> 2. UserX updates the server (Can write to all dirs and subdirs)
> 3. UserY runs the server (Can only write to log, data and spray dirs)
> 
> 
> adduser UserX... HOW does i then give him the privilegies enough?
> adduser UserY... HOW does i then give him the privilegies this user 
> needs. And what directorys more exact?
> 
> 
> //Daniel
> 
> 
> ___
> To unsubscribe, edit your list preferences, or view the list archives, please 
> visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds_linux



___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux

[hlds_linux] linux and chmodding

2010-04-13 Thread Daniel Nilsson 
Have read some info about how to host a server on a secure manner.

1. Do not run server as root
2. UserX updates the server (Can write to all dirs and subdirs)
3. UserY runs the server (Can only write to log, data and spray dirs)


adduser UserX... HOW does i then give him the privilegies enough?
adduser UserY... HOW does i then give him the privilegies this user 
needs. And what directorys more exact?


//Daniel


___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux