Complex Linux user permissions

This is a quick guide on how to configure complex directory and file permissions to allow users to access another user’s home directory

In my work, we have individual user accounts on our production hosts, ie

root@prod> ls /home
joe/  mary/  bob/  spaceball/

Individual users have their home directories set as the default, ie

drwx------. 3 mary  mary   88 Jul 12 10:15 mary/

we have a requirement to explicitly control access to production data, for example,

user Joe should be able to SSH as “spaceball” to a prod host and then do his work using this shared “spaceball” account

user Mary is not allowed to write to spaceball’s home directory (or execute any scripts there), but she is part of “employees” group, so she should be able to read-only on any file or dir inside /home/spaceball

root@prod> groups mary
mary: mary employees

So in this example, I need to configure the following Access Rules

1. only Joe and Bob should be able to SSH to prod host as “spaceball” user and do their work
2. anyone in the “employees” group should be able to Read all files and directories under /home/spaceball
3. any new file or dir created by “spaceball” user should inherit permissions and ACLs from /home/spaceball

To put these rules in actions

1)
# add "employees" as default group for all files and dirs, 
# -R recursive (drill down to subfolders)
# -h also update symlinks
chgrp -Rh employees /home/spaceball
2)
# configure ACL to enforce proper permissions
# give Spaceball user RWX
# give group "employees" read only, plus execute bit on directories so they can 'ls' on directories
# remove all access for Others
setfacl -d -Rm u::rwX,g::rX,o::- /home/spaceball
3)
# set a SUID bit for "employees" group, this is for permission inheritance
chmod -R g+s /home/spaceball
chmod -R g-w /home/employees   (remove any existing RW for group)
4) add Joe and Bob's public SSH keys to Spaceball's authorized_keys file
vi /home/spaceball/.ssh/authorized_keys 
add keys here

Any new files or dirs created by spaceball will have the following permissions,

ls -la /home/spaceball
-rw-r-----.  1 spaceball  employees      0 Jul 12 14:28 file1
drwxr-s---+  2 spaceball  employees    6 Jul 12 14:29 dir1

as you can see, new files retain RW for the Spaceball user, Read Only for Employees, and no access for Others

Dir1 shows RWX for user, R-S (SUID bit) for Employees (this means any member of Employees can Read and ‘ls, cd, cat, etc’ into the directory)

The ‘+’ at the end of dir1 permissions is a ACL bit, it says you have custom ACLs on the /home/spaceball directory

to view these ACLs, run

getfacl dir1
# file: dir1
# owner: spaceball
# group: employees
# flags: -s-
user::rwx
group::r-x
other::---
default:user::rwx
default:group::r-x
default:other::---

the output confirms our Access Rules

You can also test SSHing, which should also work,

joe@desktop> ssh spaceball@prod
spaceball@prod> ls -la
-rw-r-----.  1 spaceball  employees      0 Jul 12 14:28 file1
drwxr-s---+  2 spaceball  employees    6 Jul 12 14:29 dir1

Allow another user read/write permissions into /home/spaceball

to allow another user to read/write into /home/spaceball, you need to make sure the /home/spaceball permissions are not group R/W because that will break your SSH access (SSH wont work if the home folder contains Write permissions for Group level)

to allow a user named Kevin to read and write into /home/spaceball

root@prod> setfacl -Rm u:kevin:rwx /home/spaceball

This will recursively give Kevin r/w into all subfolders under /home/spaceball (Kevin wont be able to write into /home/spaceball root, but only into its subfolders)

now make sure /home/spaceball is not 770 (will break SSH access)

root@prod> chmod 750 /home/spaceball

Test SSH access to the Spaceball account, and also as Kevin

joe@desktop> ssh spaceball@prod  (OK)
kevin@desktop> ssh kevin@prod
kevin@prod> touch /home/spaceball/subdir/testfile

Kevin should be able to write into subfolders, but wont be able to write to actual home dir (/home/spaceball) as this will break spaceball’s SSH access

Record all your permissions for backup and restore

to record the permissions of all your files and directories, you can dump all perms into a file,

root@prod> getfacl -R /home/spaceball > /tmp/acl_backup.txt

This will contain all files and dirs and their ACLs

to restore all permissions,

root@prod> setfacl --restore=/tmp/acl_backup.txt

Linux permissions and ACLs are very flexible and powerful, as long as you understand what each command does.

Obvious Warning: Be very careful modifying permissions and ACLs on prod hosts, this can have drastic consequences for your environment. Be sure to test permissions on a test box first