[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Repost: Qube2 Security settings

At 01:59 AM 1/17/00  Jason Aspinall wrote:


I have enabled our Qube2 so that our users pages are available for the world
to see.  How would I go about altering the config settings so that I can
create a user/group accountwhereby it would only been seen by our lan users?
You'd need to change a LOT of file permissions. File permissions are visible with a long directory readout, as in 
  $ ls -al

and look something like this:

  -rwxrwxrwx
   \1/\2/\3/
    |  |  |
    |  |  world (see below)
    |  group (see below)
    owner (see below

As you may know, "r" means Read, "w" means write, and "x" means execute.
Every file on your system with an "r" in the "world" set can be read by the world. 

So the first thing to do would be to get rid of those "r"s.
For example, if you have a file with a mask of: -rwxrwxrwx, the numeric way of saying that is 777 (binary, counting each group of three; values as follows: -421421421. You don't want the world to have any rights, you change it with the following command: $ chmod 770 filename. That results in a mask of: -rwxrwx---.
Then you have to make everyone inside your lan a member of the group the file belongs to, and make sure to set the proper permissions for the group.
One way would be to add each user to the group for each site. In my example below, I'm using site5. Site 5 is the site holding the user you want visible to everyone on the lan. You've already changed the masks for all the user's files to 
"-rwxr-x---".

In the file /etc/group, see the line:

  site5:x:116:admin

Just add all the users on the lan; i.e.:

  site5:x:116:admin,firstuser,seconduser,etc.

Cumbersome.  I said it was.
Another way would be to add every user to a new group you invent called "lanusers. 

To do this you simply add a line to the group file; something like this:

  lanusers:x:999:firstuser,seconduser,etc.
and change the group ownership of every file in the users directory to be owned by lanusers.
Cumbersome, too. I said it would be <wry grin>. If you use the second method, and add a user yourself, be sure to use a group number not being used yet in your system instead of the "999" I used in my example. CAUTION: I've not tested adding groups to see if doing so breaks anything in the GUI, or if using the GUI afterwards breaks the new group. 

Jeff

--
Jeff Lasman, nobaloney.net
<jblists@xxxxxxxxxxxxx>
<www.nobaloney.net>, <www.mailtraqna.com>, <www.email-lists.com>