Help in understanding user access and setup

[fizzgig656]

Sorry guys I'm sure I'm asking a basic and simple question. Well to some it might be....I did look at the wiki pages. Sorry if I missed the one I need, but I'm now beginning to open up firewall ports and would like know I'm being as secure as I can and not be a div and leaving myself open.
I want to set up 3 users or groups of users. Admin user, normal user, view only.

Q1
If I set up users in the webgui "user's and groups" will they determine overall rights to access via all the services and the webgui? DLNA, ssh, sftp, webserver and bittorrent etc?

Q2
Does "User ID" just associate a number to the user name?

Q3
Clarify the "shell" option and "primary group" and what they control?

Q4
Is there explanations for the selectable level/options for "shell" and "primary groups"? Ie sh, bash and games, ftp etc. I understand some are self explanatory as to their purpose. Like primary groups "admin" I guess this is full access? But fit what? Does "ftp" just give access to ftp service? But would that effect using sftp?

Thanks in advance for your time

[fizzgig656]

Is there anyone that can help me please?

[raulfg3]

please read wiki first.

http://wiki.nas4free.org/doku.php#documentation

[fizzgig656]

Thanks for replying. Ive looked the wiki but cant seem to find out any answer to my questions. I dont doubt its a lack of knowledge on my behalf. If no one can/wants to enlighten me can someone point me in the right direction please.

[Parkcomm]

Q1. File and directors have access permissions (read/write/execute) for user (owner), group, and others. e.g. The owner can read and write, members of the group can read and others have no access). The owner could be a person or a process. see https://www.freebsd.org/doc/handbook/us ... opsis.html and https://www.freebsd.org/doc/handbook/permissions.html

Q2. Yes

Q3. When you set up a user additional parameters are set, for instance a home directory owned by that user. One of the parameters is the default shell each user can use. see https://www.freebsd.org/doc/handbook/shells.html and https://www.freebsd.org/doc/en/articles ... hells.html

Q4. Users are members of multiple groups, the primary is a config option is really no different to any other membership. For security reasons I recommend you create a primary group called users and add use this as the default group for all users. The most important (and also dangerous) group is wheel. This is given to user with superuser privileges. Be judicious in its use.

Only add additional groups as required. If user A does not use ftp, don't give them ftp permissions. Just because a group (like ftp) exists does not mean users need access to the groups, this is a bit of a topic so I'll leave it to you follow up, but if ftp saves files in a directory that only user ftp can access or members of group ftp can access, if you want to access these files you need to be in the ftp group. However sftp probably users the same user and group so you don't need an additional group.

To know the owner and group of files and directories use "ls -la"

[fizzgig656]

Thanks very much for your reply. I will spend some time reading over this. Cheers

[fizzgig656]

Had some time to go over, read and view examples. seems simpler now (even a bit too stupidly easy to understand, why could i find these answers myself i don't know). sometimes finding older threads telling you how to get round an issues doesn't help explain it. IE i know chmod 755 would be a reply for resolving some access/services issues, but now understanding what that really means help me to understand, be more assured of security and set up proper users/groups.
If a file "A" has -RWXRW-R-- root:wheel

Root is the owner with RWX (7) permissions
Wheel is the group with RX- (6) permissions
and everyone else gets R-- (4) permissions.

so unless your using "root" (the owner of this file) or assigned to the "wheel" group you will only have read access no matter which group your in (unless its wheel).

how could i create a new user/group "viewer" access this file only (so this is the only file they can see) without giving access to "root" or "wheel" as this would give access to more than one file. Would i create the user/group then change the user/group using Chown -r for this file only? will this not remove "Root" or "wheel" access to this file? or dose "root"/"wheel" need to be given the new group access too? the aim being to allow one person or group to only view this file!

thanks

[Parkcomm]

Create user and group viewer:viewer
Chown the file to viewer:viewer
Chmod the file to 764
Add root to the viewer group

[fizzgig656]

Thanks for confirming

[Parkcomm]

My pleasure

[fizzgig656]

so if i do create a new group "viewer" and chown the file to root:viewer (owner and group) then chimod 744 that gives root the RWX as the owner and viewer as the group R-- and everyone else R--.

how does another group "wheel" get RWX rights? for instants or a standard user group "users" get R-X.

sorrt to be asking what seems like simple basic questions.

[Parkcomm]

Thats not how it works - you sot of need to flip your thinking

Files can be a member of only one group - users can be members of many groups. So you can either chown the group to wheel or, addd alllthe users to viewer

Each ownership level (e.g group) can only have one set of mode bits. So either set if you want wheel to get RWX and users to R-X
chown root:wheel / chmod 775

[fizzgig656]

So how can you have 2 sets of users who need different access. For example a group of users as "viewer" only to be given r-- access and a group of users as "users" who can have rwx?

[Onichan]

You could either make the "users" group the owner with 7 rights then "viewer" group the group permission.

Or you need to use ACLs, builtin nix permissions aren't for advanced rights management.

[Parkcomm]

Starting with ACLs on the command line is a bit of a learning curve - if you mainly use CIFS/SMB you should have a look at this https://www.google.com.au/webhp?sourcei ... free%20acl

[fizzgig656]

Ok thanks I'll have a look at both. Does acls effect permissions only via CIFS/SMB? They don't effect permissions via ssh ftp etc?

[Parkcomm]

ACLs are native to NAS4Free - but are manual and in my opinion a little esoteric (although they did not exist when when I started using Unix, so that my just be my bias). I think they are easier to use through CIFS.


Also note there are two types of ACLs Posix ACLs and NSFv4 ACLs - - they work similarly but have some differences in syntax, https://www.freebsd.org/cgi/man.cgi?query=setfacl. Note that the ZFS (if you are using it) uses NSFv4 ACLs.

[fizzgig656]

So how can you have 2 sets of users who need different access. For example a group of users as "viewer" only to be given r-- access and a group of users as "users" who can have rwx?

Could i not set permissions as 774 with root:wheel as owner:group? then ensure anyone who is part of "viewer" is not part of wheel for instance, that would leave members of "viewer" as other/everyone else permissions which would be 4 (R--)?

Is there a way to find out who is a member of what groups? just thinking if i change group from "wheel" to "user" who will be effected (who is a member of wheel for example)?

[Parkcomm]

Yep - thats a fine way to do it.

Code: Select all

pw groupshow wheel

https://www.freebsd.org/doc/handbook/us ... opsis.html

[fizzgig656]

once again thanks.

[fizzgig656]

Simular yet slightly different question. Transmission is downloading files and putting complete ones into folder "new" with transmission:wheel as owner:group. Where does it get this from?
is it inherent or is it set by transmission?
Can I change the default goup that transmission uses to a new one that I create? Then give this to user "a"
Or do I just give user "a" access to the wheel group? But this user will then have access to all other folders.

[Parkcomm]

Is that using the gui? I thought transmission used transmission:transmission as the default user:group

If I'm correct you can then put users in the transmission group

[fizzgig656]

erm, well ive SSH'd on and checked, the temp folder for while transmission is downloading is listed as root:wheel and the files it downloads are transmission:wheel, and the folder where the completed files is moved too after completing is root:wheel and the file is transmission:wheel.

is this due to the permissions on the parent folder?

Do i change the root folder and sub folders to be a different group? or add wheel to the user i need to access and change/delete/create etc.

[fizzgig656]

just changed the parent folder used for when transmission is downloading and and it seems to create the new folder and sub folders with the parents folders group. and when it moves the file or folder the group chanfe again to the parents folders setting in the new location.

so i guess i need to change using chown -R :newgroup for both temp location and completed location. this i can then assign the newgroup to the user. but should i choose a default user group or change it to one oh the default q"system" group??

[Parkcomm]

Sorry I led you down the garden path - I have transmission on my system but not installed from the GUI.

create a group of your own called users, make sure every user is a member and then chown files that all user can access to this group.

System and default groups are used for other stuff that you might not be aware of, adding user to that group could be a security hole.

[fizzgig656]

ok, cheers. once again thanks very much.

[fizzgig656]

Ok thanks.

Is it ok to great groups via webgui. Tried it twice now and all access to the box drops? Any thoughts?
Thought id create 2 one personal and one media groups

[fizzgig656]

In fact it looks like the box rebooted and didn't creat the group.

infact it looks like it reboots whatever i do now, or it keep rebooting.

[fizzgig656]

looks like im unlucky tonight, its stuck in a reboot every 2-3 minutes, no errors on screen, reverting to backup USB. hope ive got an updated backup of the config.....long night ahead.

[Parkcomm]

good luck