Sorry.. I guess I just assumed full linux literacy.
Ok.. Hmm How to say this with the least confusion..
By default, a group is created along with each user account, when they are created by the system. The following examples are lifted from my chromebook. (It is running an ubuntu variant, for clarity.)
If we do a "long list" in the home folder, we will get output like this:
chromebook@chromebook:~$ ls -ll
total 4525448
drwxrwxr-x 2 chromebook chromebook 4096 Jun 9 22:32 books
drwxr-xr-x 2 chromebook chromebook 4096 Jul 13 03:09 Desktop
drwxrwxr-x 11 chromebook chromebook 4096 Jul 3 06:44 df_linux
drwxr-xr-x 8 chromebook chromebook 4096 Jul 1 08:58 Documents
drwxrwxr-x 3 chromebook chromebook 4096 Jun 17 20:43 dosbox
drwxr-xr-x 5 chromebook chromebook 4096 Jul 10 05:48 Downloads
drwxrwxr-x 6 chromebook chromebook 4096 Jun 4 13:20 fuse-nfs-master
-rw-r--r-- 1 root root 4510416896 Jun 30 21:34 gmbc.iso
-rw-r--r-- 1 root root 73383 Jun 30 21:34 gmbc.log
drwxr-xr-x 2 chromebook chromebook 4096 Jun 3 03:13 Music
drwxrwxr-x 4 chromebook chromebook 4096 Jun 9 07:44 mycloudsrc
drwxrwxr-x 2 chromebook chromebook 4096 Jun 3 06:21 NAS
drwxr-xr-x 3 chromebook chromebook 4096 Jun 11 05:50 Pictures
drwxr-xr-x 2 chromebook chromebook 4096 Jun 3 03:13 Public
-rw-rw-r-- 1 chromebook chromebook 215713080 Mar 25 07:28 setup_aquaria_2.0.0.1.exe
drwxr-xr-x 2 chromebook chromebook 4096 Jun 3 03:13 Templates
drwxr-xr-x 2 chromebook chromebook 4096 Jun 3 03:13 Videos
See how it says 'chromebook chromebook' like that? That is because there is both a user (chromebook) and a group with the same name (chromebook) that were created when I set up the box. That group only has 1 member. My user account.
It is this situation that requires use to use chown. chown stands for "Change owner".
In a nutshell, we want to change all the ownership data for your files so that instead of pointing at this placeholder group the system created, we want to point it at a real group that we have set up for this. I called it DAEMONS in my example above. You can name it anything you want.
When you use chown, the command wants to know both the username for the new owner, and the group they belong to, to provision access. If we keep my examples, in my case, this would be 'chromebook' for the user, and 'DAEMONS' for the group-- so the command would look like this:
chown -R chromebook:DAEMONS *
Breaking it down, we are telling chown to change ownership recursively (-R), assigning ownership to the 'chromebook' user, and the 'DAEMONS' group, for all files (*).
This basically just changes the group membership defined for group access for all the files it finds, since we are keeping the same username as the owner.
We need to have a group named DAEMONS for that to work though. As I said, I assumed full linux literacy, when I probably shouldnt have.
To create a new group with no members, use the groupadd command. (will probably need to be run with root shell)
groupadd DAEMONS
then add all the user accounts used by the various system daemons to this group with usermod.
usermod -aG DAEMONS [usernameOfSystemDaemon]
To better explain the above, when you install system daemons on a linux box, the configure script for them creates both a limited user account, and a group container for each service. You can get a full list of the user accounts on a system by reading /etc/passwd. We dont care about most of the stuff in that file, just the entries for the user accounts the system knows about. For reference, mine looks like this:
chromebook@chromebook:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
messagebus:x:104:108::/var/run/dbus:/bin/false
syslog:x:105:109::/home/syslog:/bin/false
_apt:x:106:65534::/nonexistent:/bin/false
ntp:x:107:113::/home/ntp:/bin/false
avahi-autoipd:x:108:114:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:109:115:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
colord:x:110:118:colord colour management daemon,,,:/var/lib/colord:/bin/false
dnsmasq:x:111:65534:dnsmasq,,,:/var/lib/misc:/bin/false
pulse:x:112:119:PulseAudio daemon,,,:/var/run/pulse:/bin/false
hplip:x:113:7:HPLIP system user,,,:/var/run/hplip:/bin/false
rtkit:x:114:121:RealtimeKit,,,:/proc:/bin/false
saned:x:115:122::/var/lib/saned:/bin/false
usbmux:x:116:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
speech-dispatcher:x:117:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
uuidd:x:118:123::/run/uuidd:/bin/false
chromebook:x:1000:1000:chromebook,,,:/home/chromebook:/bin/bash
sshd:x:119:65534::/var/run/sshd:/bin/bash
statd:x:120:65534::/var/lib/nfs:/bin/false
clamav:x:121:128::/var/lib/clamav:/bin/false
As you can see, there are quite a few special user accounts associated with system services. We need to add each one to our newly created DAEMONS group, so that when those processes run, then can get the read only access we are providing for them. Just replace the [usernameOfSystemDaemon] field in my example with the username of the daemon you want to make a member of that group. eg 'clamav' if you want clamav to be able to read that volume. Do that for each daemon account you want to grant access. (pain in the ass, but yeah...)
After that, we need to set up the access itself. We do that with the chmod (change mode) command. I gave this example:
chmod -R g=r,o= *
Breaking it down, we are telling chmod to do the following: Change permissions mode recursively (-R), giving group access of read only (g=r), and others no access (o=) for all files (*).
Since your own user gets their access credentials through their user account, they will still have appropriate access through that side of things. (Our chmod example omits meddling with user level permissions completely, and leaves them alone. Only group and others lists get changed)
For system services that may need to access those files, we need to add the appropriate user accounts the system created for those services to the newly created DAEMONS group.
AND the last bit of the puzzle-- umask
This is what defines the default permissions assigned to freshly created files. I already linked to the relevant documentation.
Author
Topic: The Generic Computer Advice Thread (Read 573567 times)