hi all,
how can i prevent users from accessing all directories.
i.e., how to set permision of others to (---) in all system directorties.

thanx
mustafa

chmod o= /path
also man chmod

how chmod works
each file or folder has owner user and owner group
---
the perission is 3 type permesion of the owner,group,others
each ofthem has the format of xwr ie execute ,read and write
so if you turn on reading for the group all members of the group can access it and read it if you turn of write they can write/delete and if you turn on execute then try can execute if it's a file or browse if it a folder (if execute if off for a folder you can only access-if r is on- to files you now it's names else it's hidden)

to se it right click a file or folder and select permisions to the owner to do any thing and the group let me say only read and execute and others the same
---
let x = 1, w =2 , r =4
now to let a file be "wr" we have (w=2)+(r=4)=6 and read only r=4
if it's xwr it's (1+2+4=7) if it's read and execute (1+4=5)
and so on
now the 1st no from the lest is for the owner the middle number is for group and the last is for others
so 755 means the user can read , write and execute
his groups and other only read and execute
use commands like this
chmod 755 filename
chmod 755 /folder/
chmod 755 /folder/*
see
http://www.daif.net/linux/ar/fs.html
http://www.daif.net/linux/ar/consol2.html

it is not a good idea to set permissions to --- for others on all system directories, this way only root will be able to use the system, unless of course you have very elaborate group rules.

anyway the way to do it is


chmod -R o-rwx /


-R makes chmod work in recursive mode (if it meets any directories it goes inside them), and o-rwx means remove from others the read, write and execute permissions.

this will set it to all files and directories

now if what you want is to alter directories only then what you need is this command


find / -type d -exec chmod o-rwx \{\} \;


find searches for files according to critereas you specify.
the search criterea here is -type d which means that the filetype should be a directory (directories are files in Unix).
-exec informs find to execute a command on all files that match the criterea.
the chmod part should be self explaining.
the weird \{\} part is the place where find should put the filename of matching files when it executes the command.
the weird \; is where the exec command ends.

cheers,
Alaa

asslam alycom

i think chroot is more logical

regards

hi all,

i do know what's chmod is!
ErrorMsg, thanx for ur lecture!

my mind wansn't clear when i posted the question. it was my fault to say "set permision of others to (---)"

i simply want users to have restricted access. suppose i have many user on my machine (shared pc in lab?) and don't want them to access everything in (habal) fashion. just their home, just their apps.
this is not done by defualt. chmodING recursively may take a long time, and be booring too, every time i install linux on a machine. more ever, as alaa said, i need to undo this (MANUALLY).

>this way only root will be able to use the system, unless of
>course you have very elaborate group rules.

i think i can recover this by (rw-). eXcuting is only will enable users to use the system.

is chmod the only solution?

thanx
mustafa

chroot is the logical way to do it. check this http://www.gsyc.inf.uc3m.es/~assman/jail/, it makes it easier to do chroot.

peace

well this realy depends on your particular situation, a chroot environment makes sense if your users will be allowed a ver ver ver limited set of apps, once the chroot environment gets complex it'll be hell to maintain (not to mention a waste of space).

the reasonable Unix way solution is to organize the task/applications or the users into groups, install only the things needed by these groups of users, set permissions according to these groups.

for instance the Mandrake on a higher+ security setting sets these rules

xgrp is the group of users who can start X and run X applications

ctools is the group of users wo can use compiler and other development tools

ntools is the group of users who has access to network tools

wheel is the group of users who can su to root

admin is the group of users who has access to some admin tools and can read system wide config files and logs

etc.

once you have this set of rules carefully thought out it'll be very easy to set rules to fit this, you should allow read access to everything in /usr and except when it conflicts with this rule and disallow access to everything else (except of course /bin /lib etc.)

/etc should be decided on a case by case basis.

the problem with such a system would be maintaining and debugging these rules.

if you change your mind about some detail you may need to go and make loads of manual settings, if you add new software you have to modify its permissions etc, this will turn into a major headache on any nontrivial system.

however there are tools to help you set a policy like this one, in fact it wouldn't be very hard to come up with some scripts that do this job.
Mandrake already has a solution calles msec, msec is the Mandrake security tool, part of msec deals with permission policy, when you choose different security levels you are also choosing different permission policies.
a permission policy is described ina a veyr simple text file (take a look at /usr/share/msec/perm.[0-5])

the default policies are not bad at all (I'm surprised other distros don't have something like this by default, maybe they do and I missed it but thats one of the reasons I abandoned debian).
however for your system you'll need you own custom policy.

using groups and permissions is the Unix way to go, it works for 90% of the times IMO and works elegantly for most of them, there are situations that require more drastic measures like chroot and ACLs but IMO these are always for running privileged processes.

cheers,
Alaa

if it's boring write a sh-script to do that
--
also remember the chown and chgrp (as you know)
---

Originally posted by ErrorMsg

(as you know)
---
first of all, i'm reaaaaally sorry ErrorMsg.
<<i was so rude. i'm sorry. i'm just a stupid newbie. such action of mine will limit you benifiting me more..>>.
your text is really useful for me.
just it was a s/w engineering mid-term exam. and i was in bad temper. i should have sperated, and spoken in more polite way. you tried to help me and i refused!
anyhow, i'm sorry agian. i hope you forgive me.
(and i don't know anything ;)

thanx alaa, you striked it.

thnax every body.
mustafa

Hope you did well in your exam...! Hope...

Maher

>i'm reaaaaally sorry ErrorMsg
never mind it's OK
---
any way I found what you was looking for in
mandy CC -> system -> DrakePerm

drak perm is a GUI forntend to the great msec tool (ok its onyl a frontend to part of it, the rest is covered with draksec).

msec is basicaly a set of python functions you can use to easily enforce your own security policy, it interfaces to many security aspect including pam,
permissions, core config files shadow, passwd, bashrc etc.
a cron job to maintain these settings, and a set of periodic tests and checks to aid the admin in keeping track of her system.

try
man msec
man mseclib

and browse around /usr/shar/msec

and old article from 8.2 days http://www.mandrakesecure.net/en/docs/msec.php

and of course the mandrake docs

it is not a complete solution yet but its very good for a desktop and for a basic server setup, if more work is done on it it could give a unified scriptiable interface to all aspect of security oriented configuration (it doesn't cover grsec ACLs or sudo configs).

note however that the standard security level (the default recommended level for desktops) is optimized for ease of use not security.

cheers,
Alaa

i found drakeperm under mmk cc > security
anyhow, thanx

you might want to give one of those a try if security really matters to you :
1. systrace www.systrace.org (2.4.x kernels only for now :()
2. grsecurity http://www.grsecurity.net
3. selinux http://www.nsa.gov/selinux

and i believe chroot jail is highly recommended for precompiled servers, (for example half-life*, UT, etc).
also recompiling with propolice-enabled gcc or even with hardended gcc http://www.gentoo.org/proj/en/hardened/ is always a good security step.
peace

yea thanx,
i'll check that..
mustafa

BTW mandrake's kernel-secure package (default kernel starting from higher security level) includes grsec patches.

cheers,
Alaa

ALAA YOU STARTED!
default gentoo-sources come with grsecurity
2.6 comes with selinux
selinux-sources is 2.4.23 with selinux patch

peace

>ALAA YOU STARTED!

??? I hate it when I fall into adultism so I'll skip replying to this line.


>default gentoo-sources come with grsecurity
>2.6 comes with selinux
>selinux-sources is 2.4.23 with selinux patch

thanx for the info, this is actualy useful info to tell about your distro.
it would be even more useful if it is a hidden or otherwise not obvious/no known feature of your distro.

when I say BTW Mandrkae includes grsec by default if you choose security level higher, I'm telling Mandrake users they can use this feature right here right now without needing to go through many steps.

this is IMO useful info and relevant to the topic.

and in case you haven't noticed this whole thread was started by a Mandrake user.

now if you please calrify a bit.
are you saying default Gentoo 2.6 kernel includes Grsec or are you saying gentoo servers offer a portage package to a kernel with grsec patch??

cheers,
Alaa