On Thu, 5 Aug 2004, Eve Atley wrote:
>
> Ken, thanks for the reply.
>
> You're correct... This is SSH via a graphical client. They are non-technical
> folks who need something simple. I'm just trying to protect any system files
> from accidental deletion.
It might be worth your while to tell us the "graphical client" involved, and (of more use) what server is running on the Linux end for it to connect to. It sounds like you are using ssh to tunnel something, and the unnamed something may have some abilities to control what users see. ssh by itself (that is, used to initiate a console session) does not have that ability.
> > Is my question better stated, then, as how to prevent users from deleting > any of the directories they encounter? If that's the correct question, then > is my solution to set a read-only on any folders that I don't wish deleted? > I'm not an expert on this, but a quick test suggests users need write permission on the directory to be able to write/delete the contents.
Ken is correct as far as he goes, but I don't know if he's gone far enough to answer your question.
Remember that in Linux or Unix (at least with native-mode filesystems), every directory and file has 3 sets of permissions -- for the directory/file's owner, its group, and "everybody". Here, you're concerned about either the second or third set ... from what you've written, I'm not sure which.
The directory's actual owner will almost surely want to have rwx permissions. But the directory's group and "everybody" modes can be more restrictive. How restrictive depends on details you have not told us about your setup.
For example, if you want these users to be able to cd to the directories in question, list their contents, and run programs and scripts located in them, then the users need execute (x) access to these directories. Read access (r) by itself will not do. The files and subdirectories within these directories should be, for those users, either read-only (r--) or read-execute (r-x), as appropriate. Whether these settings apply to the group permissions or the everybody permissions depends on details that either you have not provided or I missed.
For genuine system directories, users should already be unable to delete them (hint: don't test this on the real directories just in case!). For your new data directories, maybe some of the data can conveniently live in read-only directories. Beyond that, frequent backups (search for backing up with rsync) are good.
> > something : system directories show up if you go too far up the
> > hierarchy, but permissions should prevent you writing in them.
>
> Is it possible to keep users from proceeding up further in the hierarchy, by
> chance?
>
> - Eve
>
>
I don't think so. Normally, everyone can read the top-level directories except lost+found and they certainly need access to /tmp,
Right. Your only hope here is that the specific "graphical client" your naive users connect through has some capability to help you.
I don't know a way to prevent any user from seeing the very top level of your filesystem hierarchy (the contents of /). And your system will act very strangely if /tmp is not mode 777, as Ken says. Beyond that ... other top-level directories are usually mode 755, and need to be so users can run the programs and access the other files (e.g., program configuration files) in them.
- To unsubscribe from this list: send the line "unsubscribe linux-newbie" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.linux-learn.org/faqs
