Whats the difference between the groups (wheel, nogroup etc) & shell(csh, scponly)

Status
Not open for further replies.

tmacka88

Patron
Joined
Jul 5, 2011
Messages
268
hey whats the difference between the groups (wheel, nogroup etc) and the shell(csh, scponly etc).

Also how secure is SFTP through SSH with the settings selected above. Is it quite good?
Also I have setup 2 user accounts for this one for me and another for guest, is there anyway of changing the permissions for the guest so they can only read not write/delete. Also I can access one of the folders in my volume. It was a backup folder which was synced from my computer (through a comp program). Is this caused by the program or something else to do with freenas?

Cheers
 

califrag

Dabbler
Joined
Sep 9, 2011
Messages
16
hey wats the difference between the groups (wheel, nogroup etc) and the shell(csh, scponly etc).

Also how secure is SFTP through SSH with the settings selected above. Is it quite good?
Also I have setup 2 user accounts for this one for me and another for guest, is there anyway of changing the permissions for the guest so they can only read not write/delete. Also I can access one of the folders in my volume. It was a backup folder which was synced from my computer (through a comp program). Is this caused by the program or something else to do with freenas?

Cheers
The difference between shells is csh allows an SSH client to login (ie via PuTTY) and execute terminal commands (can be potentially bad).

Setting it to scponly lets them use SFTP but disallows SSH client login, theoretically making it more difficult to break anything.

The groups determine what files they have access to.

For example, I have these users:
me
brother
mom
dad

and this group
family

for 'me', I am primary group wheel, because I want access to everything (basically same as root I guess)

for 'brother', primary group 'nogroup' (i don't want him messing with any root files)
he has his own files in a folder '/mnt/data/brother' that is chown to user:group 'brother:wheel' (this way he can access them, and so can root/wheel, but nobody else)

the same is done for 'mom' and 'dad' in /mnt/data/mom and /mnt/data/dad respectively

we have shared files in a folder '/mnt/data/family' that is chown to user:group 'www:family' that allows anybody in 'family' group to access them.

in order to allow 'brother', 'mom' and 'dad' to access the 'family' shared folder, we modify their 'auxiliary groups' and add 'family' group.

Now they can access /mnt/data/(brother/mom/dad) because of user rights, but it is protected from cross-user access (mom getting into brother's stuff etc). They can also access /mnt/data/family because of group rights.



So this is just an example based on my own setup. You can really customize it however you want by setting up the users/groups and using chown.



For your case, say you have the folder /mnt/data/ftp/ that you want to share.

you have a user 'me' which you will want to put as primary group wheel, since you will obviously want full access.

you have a user 'guest' which you will want to put as primary group nogroup since you don't want them to have full access.

you don't have to create any extra groups.

go to your /mnt/data/ folder and do an 'ls -l'

hopefully your ftp folder is set to drwxrwxr-- root:wheel

if not you will need to change the permissions\ownership

change ownership
Code:
chown -R root:wheel /mnt/data/ftp


change permissions
Code:
chmod -R 774 /mnt/data/ftp


This should change the permissions to make it so that 'other' people who are not user 'root' or not in group 'wheel' will have read-only access.

Accessing SSH via password login is more secure than not using SSH.

An extra security step would be to generate certificates and use passwordless login. This means that you have specific 'key' files (certificates) that you install on the client side which allows SSH to authenticate without having to enter a password.

For example, when you are using normal authentication and you login through PuTTY, you will be prompted for a username and password.

With certificates, you install the certificate onto the client machine and as soon as you connect PuTTY will automatically authenticate with the server and connect you.

This would apply the same to SFTP (normal authentication which requires username/password combination vs. certificate authentication which is passwordless).

I'm not exactly sure what you mean about your backup folder but I hope I've answered your other questions.
 

tmacka88

Patron
Joined
Jul 5, 2011
Messages
268
So can you give me the codes to change permissions and owner ships of folders for:

How to change all (giving everyone ownership and permissions as it is with the standard files)

How to give ownership to multiple accounts.

Also when I made these changes that you gave me the other accounts that were meant to be read only could not see anything in the folders. it could access the folder but it appeared nothing to be in there. how do you fix this so everyone else can read and see the files.

Also what is the significance of permissions? And how does the code work? in the fact how to change it to work for different things? Don't think that just made sense but I'm not really sure how to ask what I'm think.

So yes you answer my question on the backups folder. what happened was i did not have access to the folder when i logged into using a different group. but i used your code:

changing wheel to my group for myself e.g. my name

chown -R root:myname /mnt/data/ftp

this allowed me to access these file accept as stated before no one else could see them when they should have read privileges.


thanks
 

califrag

Dabbler
Joined
Sep 9, 2011
Messages
16
So can you give me the codes to change permissions and owner ships of folders for:

How to change all (giving everyone ownership and permissions as it is with the standard files)

How to give ownership to multiple accounts.

Also when I made these changes that you gave me the other accounts that were meant to be read only could not see anything in the folders. it could access the folder but it appeared nothing to be in there. how do you fix this so everyone else can read and see the files.

Also what is the significance of permissions? And how does the code work? in the fact how to change it to work for different things? Don't think that just made sense but I'm not really sure how to ask what I'm think.

So yes you answer my question on the backups folder. what happened was i did not have access to the folder when i logged into using a different group. but i used your code:

changing wheel to my group for myself e.g. my name

chown -R root:myname /mnt/data/ftp

this allowed me to access these file accept as stated before no one else could see them when they should have read privileges.


thanks


To give everyone full access use chmod 777

The way chmod works is the numbers signify read, write, execute or any combination thereof.

http://en.wikipedia.org/wiki/Chmod

# Permission
7 full
6 read and write
5 read and execute
4 read only
3 write and execute
2 write only
1 execute only
0 none

When you chmod, you can set the three permission states for User:Group:Other.

777 means everybody has full access. 774 limits 'Other' to read only.

You can also use letters

chmod -R ugo+rwx /mnt/data/ftp
^ same as chmod -R a+rwx /mnt/data/ftp

u=user, g=group, o=other, a=all
r=read, w=write, x=execute


more info on permissions here: http://www.albany.edu/faculty/gms/homepage101/unix_permissions.html


To give ownership to multiple accounts you will need to use groups.

So if you have /mnt/data/ftp and you want both users 'me' and 'anotherperson' to have ownership, you will need to set the ftp folder by chown so that the group will be one that is shared between the users OR add the other user to your 'myname' group in auxiliary groups (you will probably want a shared group).

To use a shared group, if you have an account 'me' and an account 'anotherperson', you will need to create a new group 'shared' or whatever, then add that group to both accounts' auxiliary groups, then set the chown -R root:shared /mnt/data/ftp and both accounts should be able to see, read, write and execute the files.

You may need to add read and execute access for 'other'

chmod -R 775 /mnt/data/ftp

or

chmod -R o+rx /mnt/data/ftp

This should allow other users to get directory listings and browse folders.
 

tmacka88

Patron
Joined
Jul 5, 2011
Messages
268
thanks heaps mate helped a lot. is there anyway of saving these changes so when you do a clean install they are still active? Or once you make these changes does it do it to these data on the HDDs (making it permanent)

cheers
 

califrag

Dabbler
Joined
Sep 9, 2011
Messages
16
thanks heaps mate helped a lot. is there anyway of saving these changes so when you do a clean install they are still active? Or once you make these changes does it do it to these data on the HDDs (making it permanent)

cheers

these changes, since made on a mounted volume separate from the embedded freenas image, should remain intact after a new\clean install. You WILL need to recreate any users or groups through the freenas interface though. the permissions are tagged directly to the files and directories themselves.
 
Status
Not open for further replies.
Top