So here is something I could not find any reference to, I have this user, user_A, I want to remove its access to this directory entirely /log/dirA As far as I understand, chmod is used to modify the access in this order user/group/others. Others is general and does not care who this is, just anyone other than the user, while not a member of group will be "other(s)", so I don't want to mess with other users access to this path, but I want to limit user_A from accessing it. Does **setfacl** work for directories too? because I used this command, which I think should deny read/write/execute access of the mentioned Directory to the user_A, but the user is still able to cd into the mentioned dir. Does setfacl apply only to files?? Command:

setfacl -Rdm u:user_A:--- /log/dirA

ls -lhtr of the mentioned path:

rwxr-xr-x+  3 Mainuser Mainuser   19 Apr 17  2018 dirA

getfacl /log/dirA :

# file: dirA/
# owner: Mainuser
# group: Mainuser
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:user_A:---
default:group::r-x
default:mask::r-x
default:other::r-x

So there is a user that was created by root, and it pretty much has access to most/all directories on the system, we want to use this user only for ftp via lftp to read a certain file on the server that this user is located, let's call it config-server. so all the other servers, have scripts that will use lftp/ftp to access the config-server using this user to read the desired config file. As the user and password will be saved on the other servers, we want to restrict this users access to all other unnecessary directories, and no we don't want to restrict the users ftp access, we want to restrict the user itself. My goal is to do it at once or at least once for each mount point, like configuring his /her access globally once to 000, then go the the desired directory and give him read access to that directory only. so how can I do this globally? is it possible? I thought I could use recursive chmod/setfacl on all directories/mountpoints while signed in as root, and then as root, give that user access to the config files path? is this a viable solution, or does it have risks. if not, please share your solution. Note: We have somewhat 74 servers, which nullifies the point of storing the config on each server separately. EDIT: Server OS is Redhat 6.9 (or later for other servers). Also the access method used in the script would be ftp, but like I said since the user and password is present in the scripts that are on the other servers, we should prevent the user overall access, some one might use ssh, or even direct login, and we can't be held responsible for allowing that to happen, also we have limited access to most of our servers (configuration wise), this is one of the few which we do have the root access and OS is not managed by another team. But we ourselves will need to be able to login to this user ( can't complicate it too much, not every member that is added to the team has good linux/OS knowledge Ironically, right now two new members, trained by me and my ex-colleague in linux, one which is IT student, still didn't know what command is used to switch user, both use right click to copy and paste :| ).

I would like to test kvm with opensuse tumbleweed. I successfully installed kvm, but I am stuck in creating my first VM. The trick is that I want to have the VM's directory in an external HDD. When I set the directory of the VM file I get this error message: > Impossible de terminer l'installation : « Cannot access storage file > '/run/media/lowley/424b7b47-883d-42ac-b6f3-994c0c01c01f/sauvegardes/fedora-haskell.qcow2' > (as uid:471, gid:10): Permission denied » I am not very strong in managing user rights. I set root belong to the kvm group, but I still have this error. can you help me? thank you olivier EDIT I launch it by a entering virt-manager, as me and not as root. In fact I have a shortcut on the desktop.

We have a front-end proxy server that serves pages from a back-end website (both running Apache 2.4):

# Apache config snippet from frontend server
SSLProxyEngine on
ProxyPass "/blah"  "https://backend.invalid/blah "
ProxyPassReverse "/blah"  "https://backend.invalid/blah "

(In other words, accessing anything under https://frontend.invalid/blah actually retrieves the content from the back-end site. This is working as expected.) In order to do some maintenance work on the back-end site, I would now like to only allow access to the proxy (and backend site) from certain IP ranges (something like Require ip 123.123 172.20.0.0/16 (etc, for several ranges), and for all requests **not** from within these ranges, redirect those requests to a different site with a status page instead. I suspect that this will require either some fairly complicated mod_rewrite config (always a "several coffees required" task) and/or possibly use of the If and Else directives. Can anyone advise how best (or, perhaps, how simplest) to set this up?

I have setup XRDP on a ubuntu computer that I wanted to access remotely. There are Bluetooth and audio devices attached to that remote device that I would like to access. Using XRDP, it shows that there is no Bluetooth dongle and under Audio(Sounds) there are no microphones and the only output audio is a "Dummy Output". Is there a way to gain access to these hardware devices over XRDP? I have also tried Chrome Remote Desktop and I get the same thing. Local: Windows 10 Pro Remote: Ubuntu 20.04

Is there a way to restrict a user's access so that they can still execute a command, but only with a particular flag? For example, if I want to allow users to be able to read all files, they should be allowed to run chmod 444 [file], but I don't want them to be able to set any other access level. Or lspci -vvv shows the bus speed and lane width only when running as root. But, I would like certain users to be able to see that information. Is there a way to restrict these two commands to be runnable only with these flags?

I edit prof_attr Altro-prof:RO::\ Altro prof: I assign some commands for "altro-prof" vim exec_attr Altro-prof:solaris:cmd:RO::/usr/sbin/prtvtoc:uid=0 Altro-prof:solaris:cmd:RO::/usr/sbin/fdisk:euid=0,privs=all I assign the profile "Altro-prof" to a user with usermod -P The command prtvtoc works fine, the command fdisk return this pfexec -P all fdisk /dev/rdsk/c0t2d0p0 fdisk: Cannot open device /dev/rdsk/c0t2d0p0 Why? The user has the profile assigned profiles Comandi-root Altro-prof Basic Solaris User All

**It's a tutorial problem in a Linux course**: The command

-la /

gives this result:

total 72
drwxr-xr-x  19 root root  4096 Apr 15 23:39 .
drwxr-xr-x  19 root root  4096 Apr 15 23:39 ..
lrwxrwxrwx   1 root root     7 Jan 28 22:23 bin -> usr/bin
drwxr-xr-x   4 root root  4096 Jan 28 22:30 boot
drwxr-xr-x  18 root root  3320 Apr 15 23:24 dev
drwxr-xr-x  73 root root  4096 Apr 15 23:24 etc
drwxr-xr-x   4 root root  4096 Feb  5 20:55 home
lrwxrwxrwx   1 root root     7 Jan 28 22:23 lib -> usr/lib
drwx------   2 root root 16384 Jan 28 22:23 lost+found
drwxr-xr-x   3 root root  4096 Jan 28 22:23 media
drwxr-xr-x   2 root root  4096 Jan 28 22:23 mnt
drwxr-xr-x   2 root root  4096 Jan 28 22:23 opt
dr-xr-xr-x 133 root root     0 Apr 15 23:24 proc
drwx------   5 root root  4096 Apr 15 23:47 root
drwxr-xr-x  17 root root   520 Apr 15 23:25 run
lrwxrwxrwx   1 root root     8 Jan 28 22:23 sbin -> usr/sbin
drwxrwxrwx   3 root root  4096 Apr 15 23:40 something
drwxr-xr-x   2 root root  4096 Jan 28 22:23 srv
dr-xr-xr-x  13 root root     0 Apr 15 23:24 sys
drwxrwxrwt   8 root root  4096 Apr 15 23:47 tmp
drwxr-xr-x  11 root root  4096 Jan 28 22:23 usr
drwxr-xr-x  11 root root  4096 Jan 28 22:23 var

The command

ls -lR /something

produces this result:

/something:
total 4
drw-r-xr-x 3 george george 4096 Apr 16 14:24 one

/something/one:
total 4
drwxr-xr-x 2 george george 4096 Apr 15 23:47 two

/something/one/two:
total 4
-rwxrwxrwx 1 george george 7 Apr 15 23:47 somefile

We work under the user

, i.e. the command

gives us

. The

george

command gives us the result

: george users

. What result do we get for the

/something/one/two/somefile

command and why? **My attempt to solve the problem**: **1. Let's see what access rights we have to somefile:** The file

has

-rwxrwxrwx

rights, hence the users **user, group and other** have all the rights to read, write and execute this file.Hence, the user **george** can read this file. **2. Let's make sure that somefile exists:** Running the

ls -lR /something

command displays a list of all files and subdirectories in the

/something

directory, including permissions information and file size, with superuser privileges. The file is located in the

/something/one/two/somefile

directory. **3. Let's check the access rights of the directory /something/one/two/somefile :** Directory

has access rights

-r-xr-x

- user **george** has permission to enter this directory, and read the contents; Directory

has

-xr-x

access rights - user **george** has permission to enter this directory, and to read the contents; By executing the

/something/one/two/somefile

command we will be able to view the contents of the

. The

-l

command shows that the ``somefile` file weighs 7 bytes. If the file contains text or characters, they will be displayed in the console. **My mentor says these hypotheses need to be tested.** **How do I test this task?**

I wrote a script that generates a PDF and an HTML file on RAM-disk: - The PDF file can be opened as expected. - The HTML file can be opened with an editor, but not with a browser. This is the error message I get from the browser (Chrome, Firefox) on Ubuntu Linux 24.04: Access to the file was denied The file at file:///dev/shm/test.html is not readable. It may have been removed, moved or file permissions may be preventing access. ERR_ACCESS_DENIED These are the file details: /dev/shm> ll -rw-rw-r-- 1 11K 2024-08-30 11:06 test.html If I copy the file to the hard disk, it can be opened as expected: /dev/shm> cp ./test.html ~ ------- If I build Chromium from source as explained here , will I be able to open files stored on RAM-disk like /dev/shm?

I have been playing around with firejail and tried to get a profile, where access to the webcam is blocked. I tried this with 'cheese' as an application, which shows the webcam and found --novideo in the documentation So:

$ firejail --novideo cheese

And success, no video found. But if I use that same configuration with a shell:

$ firejail --novideo bash

And then start cheese from there, video works fine. So access to the webcam is still possible? Does cheese connect to some other process? I tried other promising settings, but I always was able to have cheese access the webcam. I assume if that program can access it, other programs could as well.

Debian 12, using whatever the built-in backup system is. I have it set to back up to an external drive that's dedicated to this purpose. When I hit the button to do a backup, it says I don't have write permission. I have verified indeed, I can't create a file or folder on that drive without using sudo. How do I grant myself and the backup process the access it needs to do a backup? Thanks. Selected backup drive: Go button and resulting error: Edit with requested details: - root owns it - Dolphin says Ower can view & modify, group and others can only View. - Was ExFAT, reformatted to ext4, now that button does nothing but the *other* backup dialog says "Giving up after 5 attempts. Error: Error opening file “/backup/duplicity-full.20240802T203854Z.vol1.difftar.gz”: Permission denied"

*nix user permissions are really simple, but things can get messy when you have to take in account all the parent directory access before reaching a given file. How can I check if the user has enough privileges? If not, then which directory is denying access? For example, suppose a user joe, and the file /long/path/to/file.txt. Even if file.txt was chmoded to 777, joe still has to be able to access /long/, and then /long/path/ and then /long/path/to/ before. What I need is a way to automatically check this. If joe does not have access, I would also like to know where he has been denied. Maybe he can access /long/, but not /long/path/.

I have a binary program that creates an empty folder in the HOME directory everytime it starts up. I don't like that and want to use the [SMACK](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Smack.html) mechanism to stop it from doing that. My idea is to label the HOME directory with tag HOME and the program process with tag NoWriteHome, then write three SMACK rules:

$ sudo setfattr -n security.SMACK64     -v 'HOME'        "/home/${USER}"
$ sudo setfattr -n security.SMACK64EXEC -v 'NoWriteHome' "${PATH_TO_EXECUTABLE}"
$ cat  _           HOME    rwxat
> NoWriteHome _       rwxat
> NoWriteHome HOME    r-x--
> EOF

I did an experiment on /usr/bin/bash and it worked as expected:

$ cd
$ touch a
touch: cannot touch 'a': Permission denied

But when it comes to the program, it failed to start while loading dynamic libraries:

$ (
> export QT_PLUGIN_PATH="/opt/Wolfram/WolframEngine/14.0/SystemFiles/Libraries/Linux-x86-64/Qt/plugins/"
> export LD_LIBRARY_PATH="/opt/Wolfram/WolframEngine/14.0/SystemFiles/Libraries/Linux-x86-64:/opt/Wolfram/WolframEngine/14.0/SystemFiles/Libraries/Linux-x86-64/Qt/lib"
> export PATH="/opt/Wolfram/WolframEngine/14.0/Executables:${PATH}"
> export ESPEAK_DATA="/opt/Wolfram/WolframEngine/14.0/SystemFiles/FrontEnd/SystemResources/X/espeak-data"
> /opt/Wolfram/WolframEngine/14.0/SystemFiles/FrontEnd/Binaries/Linux-x86-64/WolframPlayer -topDirectory /opt/Wolfram/WolframEngine/14.0
> )
/opt/Wolfram/WolframEngine/14.0/SystemFiles/FrontEnd/Binaries/Linux-x86-64/WolframPlayer: error while loading shared libraries: libML64i4.so: cannot open shared object file: No such file or directory

Does anyone know why access to library files is denied? Is there something wrong with my SMACK rules?

#Samsung SMT-G7401 hack# ##introduction## I have an SMT-G7401_PCS01B (Horizon box) from UPC Switzerland and I would like to install debian or multimedia linux distribution on it if is it possible, if is it not possible I just take the hdd for my PC. (I have recently received the "UPC TV Box") ##Possible and not possible way## - I can get log from the UART interface with an "FTDI FT232RL" + "minicom". I have the serial console but I can't do anything.

POST: 0xb03
wdt: reset type = 0, reset reason = 0
POST: 0xc02
cefdk_rom_base_addr: 0x00280800
POST: 0xc1f
wdt: acboot win2 end, counter=981466
POST: 0xf02
Warning: No device found in chip select 0
Spi Flash Init Failed and disable SPI Fl
Intel(R) Consumer Electronics Firmware Development Kit (Intel(R) CEFDK)
Copyright (C) 1999-2012 Intel Corporation. All rights reserved.
Build Time (04/17/14 19:20:25).
POST: 0xf05Loading 8051_fw from MFH...
POST: 0xf07
Set flash layout to Samsung 128MB layout
POST: 0xf18
---memory initialization for postbox communication -----
POST: 0xf19
Waiting for 5 sec for DOCSIS PLL1 ready...
DOCSIS PLL1 ready
POST: 0xfa0
SMM: Ok
POST: 0xf24
ACPI Init: finished with table region from 00011ab0 to 00018000
acpi: Created tables at 00011ab0-00018000
POST: 0xf29
HW Revision          : 12
CEFDK Version        : CE2600 build (SMP enabled)
8051 Firmware        : A0-1.2.0 build R 0x20A
8051 FW I/O Module   : 
Silicon Stepping     : B2 
Silicon SKU          : 0x037
Board Set As         : Harbor Park - MG
CPU Threads          : 2
CPU Multiplier       : 12
CPU Bus Speed        : 100 MHz
Memory Size          : 512 MB
Memory Type & Speed  : x16 DDR3-1333 (10-10-10) 
Trusted Boot         : Untrusted
Boot Mode            : eMMC-NAND (STRAPS)
Registered net controller: e1000
Init External Switch for board Type: 1
Timing data c003
Timing data c03e
ESWITCH ID 1761
1000M FD Link is ready!
Configure IP via static IP.
Mac address is    : 54:FA:3E:2F:3C:E3
Host IP address is: 192.168.192.1
Subnet Mask is    : 255.255.255.0
Gateway address is: 192.168.192.1

================================================
WARNING:
  Please make sure the board type and DOCSIS DDR offset/size are set correctly,
  otherwise DOCSIS subsystem won't boot!
  If not sure, please use "settings" shell command to show the setup menu,
  then check "Advanced Features".
================================================

Press 'Enter' within 0 seconds to disable automatic boot.
Hit a key to start the shell...
**********************************************************
***** Uboot is not upgraded --- boot kernel          *****
**********************************************************
Running auto script...
shell> load -m 0x200000 -i a -t emmc
get Active Image info success:240000, 400000, 1, 1, 3
eMMC kernel command:  root=/dev/mmcblk0p3 
Load data from emmc
Load done.
shell> bootkernel -b 0x200000 "console=ttyS0,115200 ip=static rw"
 --- bootkernel  ...
...  CEFDK -> U-Boot status STAT_USR_FIN 
 L2sw mode ---
Working Cmd: console=ttyS0,115200 ip=static rw root=/dev/mmcblk0p3 
CMD(0x48000)='console=ttyS0,115200 ip=static rw root=/dev/mmcblk0p3 '
WARNING: Ancient bootloader, some functionality may be limited!

- I have a JTAG interface but I don't the necessary stuff to use it. I have search for an arduino JTAG adapter but I have no found any good way. - Two USB port are there but they are inactive. I read that they are used for diagnostic and specific utilisation. - The final way is a mysterious plug, his name is "MPEG/ARM CONSOLE". I found nothing about it. [EDIT] I know wich pin is RX, TX and GND, from left to right (when you watch the plug): GND, TX, RX, ?, ?, ?. I can maybe burn linux distribution directly on the HDD. ¯\\_(ツ)_/¯ Mother board infos UART pinout

I want a process (and all its potential children) to be able to read the filesystem according to my user profile but I want to restrict that process's write permission to only a set of pre-selected folders (potentially only one). chroot seems to act too broadly. Restricting the process to a particular part of the filesystem which makes curbersome the need to mount /bin folders and the like. My process should be able read the content of the filesystem as any normal process I launch. I could use a docker container and mount a volume but that seems overkill: need to install docker, create an image, launch the container in it, etc... Is there a way to do something like?:

restricted-exec --read-all --write-to /a/particular/path --write-to /another/particular/path my-executable -- --option-to-the-executable

Some sort of [unveil](https://man.openbsd.org/unveil.2) but controlled by the calling process and only for write access.

How can I restrict login so that only I can log into my linux machine, and only directly into the console (active user) I do not want anyone, including me, to be able to log in remotely. Are there changes I should make to /etc/security/access.conf for example? or PAM? Newbie here.

Requirement =========== + ssh-jailed access restrict all groups, but allow one group.

login to VM-GP324911 for users in GP324911, deny others.
login to VM-GP9e68e for users in GP9e68ea, deny others.
login to VM-GPea7899 for users in GPea7899, deny others.

In some cases, an user can be in Group - GP324911 and GP9e68ea or others, 
access or login should work based on group assigned to that VM.

###### By GPO, Couple of AD groups are allowed ssh logins to multiple RHEL VMs. What we want to restrict further - allow only one AD group and disallow others. ###### But - if a user part of two or multiple groups - allow login to only where the group is allowed. Tried with ssh match group like below -

Match Group GP324911
  PasswordAuthentication yes
  PubkeyAuthentication yes

Match Group GP9e68ea,GPea7899,GP2b4f8d,GP77c148,GPfeag5b,GP2g49g5,GPagd759
  PasswordAuthentication no
  PubkeyAuthentication no

It works above way - user part of GP324911, GP9e68ea-- allows login to VM-GP324911 or VM-GP9e68ea. Two questions - - It stops working, if I move allowing match block below deny match block, like below, then it will stop allowing access in VM-GP324911 for Group GP324911

Match Group GP9e68ea,GPea7899,GP2b4f8d,GP77c148,GPfeag5b,GP2g49g5,GPagd759
  PasswordAuthentication no
  PubkeyAuthentication no

Match Group GP324911
  PasswordAuthentication yes
  PubkeyAuthentication yes

- We tried with deny groups and allow groups, it didn't work. Any other way of doing this.

I have two users on my ssh-server machine, user_A and user_B. user_B is permitted to log in with private key only for security reasons, because he needs to log in from remote. All this works. My problem: How do I prevent user_A to login likewise from remote with username/password, because he only needs to login from the local network? According to the man page of sshd, CIDR-notation is allowed. What I have done:
#605433 suggests AllowUsers my_login@123.45.67.89, so I adapted to AllowUsers user_A@192.168.10.0/24 #740700 suggests: Match 192.168.0.10/24 AllowGroups PrivateSubnetSshUsers My version looks like Match 192.168.10.0/24 AllowUsers user_A Against my expectations, user_A can still log in from 192.168.1.220 in both cases. I had done some systemctl restart sshd before retrying. What do I overlook here?

I am refining our rules in /etc/securiy/access.conf. I found the following rule and I am not sure what it is used for: +:ALL:cron crond According to the man page of access.conf it means something like: *Grant permission to ALL users from origin cron and crond.* I do not understand what it means in detail. Can someone provide an example where this rule would take in effect. Thanks in advance!

I have a PC to which a robot is connected via CAN (using SocketCAN). I'd like to control who can send commands to the robot, ideally through a group (i.e. only users who are in the "use_robot" group have permission to send/receive anything via CAN). How can I achieve this? To my understanding, SocketCAN uses network interfaces so, probably somehow with iptables?