Step by Step for restricting
certain users from any file on the system.
I have 6 users (accounts) on my linux system and I wanted 5 of the 6 users to be able to dial out using kppp, and the other one to be restricted from doing so.
This step by step can be extrapolated to any file on the linux system, but I will use kppp as the file to restrict usage for.
Essentially, two things must be done to accomplish this feat:
1) create a new Group with the users that I want to be able to use kppp
2) change the kppp file to use that group of users and reject all others
The following is for complete neophytes:
First some explanation is in order:
All linux files have
permissions: the order is by USER / GROUP /
So when you do a ls -l on kppp then you get the following:
-rwSr-xr-x 1 root root 371796 Aug 10 23:24 /opt/kde/bin/kppp
-rwSr-xr-x are the permissions part of the file listing
The first position is a - if it is a regular file, or d if it is a directory, and others as well, but that is not relavent to our discussion here.
the next 3 positions are
rwx for readable, writeable, executable for
The S in the x position of the USER permission fields means this file has the setuid bit set on this file. This means that anyone who can execute this file, executes it as if they were root (the account that can do anything in the system). This is needed because kppp uses another file that only root can access, thereby solving the problem.
Note also that root is the owner and root is the group.
The way the permissions are set above, this means that root and all others can Read (r) and Execute (x) this file since user, group, and other all have the r and x attributes set.
We want to change that.
Down to Nuts and Bolts:
First we create a Group of trusted users by editing the /etc/group file like the following:
This tells the system that I have a group whose name is trusted and it has a groupid number of 300 and thatuser1, user2, user4, user5 and user6 are in that group. Note that the groupid number MUST BE UNIQUE in the /etc/groups file. Also note that user3 is absent from the list -- that user will be restricted.
Now change the kppp file permissions so that no one in the Other category can access the file, and change the group to trusted.
We do the next two commands to do this (as root of course):
chmod changes the
permissions on the file (in this case take away rx from
Now you have:
-rwSr-x--- 1 root trusted 371796 Aug 10 23:24 /opt/kde/bin/kppp
Looking at it again, we have rwS for the owner (root) r and x for the group (which is the new group we added called trusted) and no permissions at all for other.
This now means that only root and the users deliniated in the group trusted will be able to read and execute the file. All others have no permission whatsover.
Now when user3 tries kppp he gets a permission error, which effectively stops him from using kppp to dial out. However all the other users can use kppp.