How to make a user able without root to share a folder with given other user(s) #60

Open
opened 2025-01-23 15:55:18 +01:00 by Benjamin_Loison · 32 comments

See #59.

See #59.
Author
Owner
The persons:
-----BEGIN PGP MESSAGE-----

hF4DTQa9Wom5MBgSAQdAbVD1Fr1s/4JfZDgkHO2hSZ3jzxkp7l3r9YF4N3mMuWIw
xdDO5OF3iP+/e0hr77lftNy1wbPhK7j7fqlyaFZSHduTiHlFaoe1iZhtzVzSqnAM
0l0BBelzs5K4roxSPtFbAuH8J/ldR7/HU1j9nl0ktfjV3JwfVlI617gjmdmYTHCQ
ZA37GmpdhkiFCNMtY0NCObVp9dBiogHupfJdI9zzjwa5uVcfFMvTeZikNSxK4Ss=
=IfJO
-----END PGP MESSAGE-----

may be interested in a solution as the 2 formers do not seem to be aware of any.

<details> <summary>The persons:</summary> ``` -----BEGIN PGP MESSAGE----- hF4DTQa9Wom5MBgSAQdAbVD1Fr1s/4JfZDgkHO2hSZ3jzxkp7l3r9YF4N3mMuWIw xdDO5OF3iP+/e0hr77lftNy1wbPhK7j7fqlyaFZSHduTiHlFaoe1iZhtzVzSqnAM 0l0BBelzs5K4roxSPtFbAuH8J/ldR7/HU1j9nl0ktfjV3JwfVlI617gjmdmYTHCQ ZA37GmpdhkiFCNMtY0NCObVp9dBiogHupfJdI9zzjwa5uVcfFMvTeZikNSxK4Ss= =IfJO -----END PGP MESSAGE----- ``` </details> may be interested in a solution as the 2 formers do not seem to be aware of any.
Author
Owner

So the aim is not to create a group for all (used) combinations of user permission access, even if teams to some extent work that way. We want subteams somehow.

So the aim is not to create a group for all (used) combinations of user permission access, even if teams to some extent work that way. We want subteams somehow.
Author
Owner

DuckDuckGo search Linux give access to a user to a folder.

DuckDuckGo search *Linux give access to a user to a folder*.
Author
Owner
[Benjamin_Loison/adduser/issues/1](https://codeberg.org/Benjamin_Loison/adduser/issues/1) would help.
Author
Owner
mkdir ~/folder_to_share_with_user_0_and_1/
```bash mkdir ~/folder_to_share_with_user_0_and_1/ ```
Author
Owner

In theory can leverage the chown other user group to have both users having access, but let us consider the cleaner more general case.

In theory can leverage the `chown` other user group to have both users having access, but let us consider the cleaner more general case.
Author
Owner

I like recursivity so let us look for recursive approach.

Having to run again the permission grant on new recursive folder is fine in my opinion for the moment.

I like recursivity so let us look for recursive approach. Having to run again the permission grant on new recursive folder is fine in my opinion for the moment.
Author
Owner
FOLDER=~/folder_to_share_with_user_0_and_1/sub_folder_to_share_with_user_0_and_1
mkdir $FOLDER/
echo secret > $FOLDER/file_to_share_with_user_0_and_1.txt
```bash FOLDER=~/folder_to_share_with_user_0_and_1/sub_folder_to_share_with_user_0_and_1 mkdir $FOLDER/ echo secret > $FOLDER/file_to_share_with_user_0_and_1.txt ```
Author
Owner

From user_1:

ls /home/user_0/
ls: cannot open directory '/home/user_0/': Permission denied

on Debian 12 GNOME.

From `user_1`: ```bash ls /home/user_0/ ``` ``` ls: cannot open directory '/home/user_0/': Permission denied ``` on Debian 12 GNOME.
Author
Owner

So the aim is not to have access to /home/user_0/ but just the mentioned subfolder.

So the aim is not to have access to `/home/user_0/` but just the mentioned subfolder.
Author
Owner
ls /home/user_0/folder_to_share_with_user_0_and_1/
ls: cannot access '/home/user_0/folder_to_share_with_user_0_and_1/': Permission denied
```bash ls /home/user_0/folder_to_share_with_user_0_and_1/ ``` ``` ls: cannot access '/home/user_0/folder_to_share_with_user_0_and_1/': Permission denied ```
Author
Owner
ls -lha
Output:
total 36K
drwx------  3 user_0 user_0 4.0K Feb 22 12:29 .
drwxr-xr-x  6 root   root   4.0K Feb 22 12:28 ..
-rw-------  1 user_0 user_0    9 Feb 22 12:12 .bash_history
...
drwxrwxr-x 2 user_0 user_0 4.0K Feb 22 12:30 folder_to_share_with_user_0_and_1

As user_0:

setfacl -R -m u:user_1:rwx folder_to_share_with_user_0_and_1/

Source: the Ask Ubuntu answer 809562

does not return anything.

```bash ls -lha ``` <details> <summary>Output:</summary> ``` total 36K drwx------ 3 user_0 user_0 4.0K Feb 22 12:29 . drwxr-xr-x 6 root root 4.0K Feb 22 12:28 .. -rw------- 1 user_0 user_0 9 Feb 22 12:12 .bash_history ... drwxrwxr-x 2 user_0 user_0 4.0K Feb 22 12:30 folder_to_share_with_user_0_and_1 ``` </details> As `user_0`: ```bash setfacl -R -m u:user_1:rwx folder_to_share_with_user_0_and_1/ ``` Source: [the Ask Ubuntu answer 809562](https://askubuntu.com/a/809562) does not return anything.
Author
Owner
ls -lha
Output:
total 36K
drwx------  3 user_0 user_0 4.0K Feb 22 12:29 .
drwxr-xr-x  6 root   root   4.0K Feb 22 12:28 ..
-rw-------  1 user_0 user_0    9 Feb 22 12:12 .bash_history
...
drwxrwxr-x+ 3 user_0 user_0 4.0K Feb 22 12:31 folder_to_share_with_user_0_and_1
```bash ls -lha ``` <details> <summary>Output:</summary> ``` total 36K drwx------ 3 user_0 user_0 4.0K Feb 22 12:29 . drwxr-xr-x 6 root root 4.0K Feb 22 12:28 .. -rw------- 1 user_0 user_0 9 Feb 22 12:12 .bash_history ... drwxrwxr-x+ 3 user_0 user_0 4.0K Feb 22 12:31 folder_to_share_with_user_0_and_1 ``` </details>
Author
Owner

On user_1 still face:

ls /home/user_0/folder_to_share_with_user_0_and_1/
ls: cannot access '/home/user_0/folder_to_share_with_user_0_and_1/': Permission denied
On `user_1` still face: ```bash ls /home/user_0/folder_to_share_with_user_0_and_1/ ``` ``` ls: cannot access '/home/user_0/folder_to_share_with_user_0_and_1/': Permission denied ```
Author
Owner
ls /home/
benjamin_loison  user_0  user_1  user_2

As user_0:

setfacl -R -m u:user_1:rwx .

does not return anything.

```bash ls /home/ ``` ``` benjamin_loison user_0 user_1 user_2 ``` As `user_0`: ```bash setfacl -R -m u:user_1:rwx . ``` does not return anything.
Author
Owner

As user_1:

tree /home/user_0/
Output:
/home/user_0/
\u2514\u2500\u2500 folder_to_share_with_user_0_and_1
\Uffffffff\Uffffffff\Uffffffff \u2514\u2500\u2500 sub_folder_to_share_with_user_0_and_1
\Uffffffff\Uffffffff\Uffffffff     \u2514\u2500\u2500 file_to_share_with_user_0_and_1.txt

3 directories, 1 file
cat /home/user_0/folder_to_share_with_user_0_and_1/sub_folder_to_share_with_user_0_and_1/file_to_share_with_user_0_and_1.txt
secret
As `user_1`: ```bash tree /home/user_0/ ``` <details> <summary>Output:</summary> ``` /home/user_0/ \u2514\u2500\u2500 folder_to_share_with_user_0_and_1 \Uffffffff\Uffffffff\Uffffffff \u2514\u2500\u2500 sub_folder_to_share_with_user_0_and_1 \Uffffffff\Uffffffff\Uffffffff \u2514\u2500\u2500 file_to_share_with_user_0_and_1.txt 3 directories, 1 file ``` </details> ```bash cat /home/user_0/folder_to_share_with_user_0_and_1/sub_folder_to_share_with_user_0_and_1/file_to_share_with_user_0_and_1.txt ``` ``` secret ```
Author
Owner

As user_0:

ls /home/user_0/
ls: cannot open directory '/home/user_0/': Permission denied

so this is not perfect but it is a good start.

How can we figure out what users we gave access to?

As `user_0`: ```bash ls /home/user_0/ ``` ``` ls: cannot open directory '/home/user_0/': Permission denied ``` so this is not perfect but it is a good start. How can we figure out what users we gave access to?
Author
Owner

DuckDuckGo search Linux list ACL.

DuckDuckGo search *Linux list ACL*.
Author
Owner

As user_0:

getfacl .
Output:
# file: .
# owner: user_0
# group: user_0
user::rwx
user:user_1:rwx
group::---
mask::rwx
other::---
As `user_0`: ```bash getfacl . ``` <details> <summary>Output:</summary> ``` # file: . # owner: user_0 # group: user_0 user::rwx user:user_1:rwx group::--- mask::rwx other::--- ``` </details>
Author
Owner

DuckDuckGo search Linux give access to a user to a folder without giving access to parent folder.

Maybe x may help, see the Unix Stack Exchange answer 541283, should just verify that someone is not able to execute a file he does not have access to.

DuckDuckGo search *Linux give access to a user to a folder without giving access to parent folder*. Maybe `x` may help, see [the Unix Stack Exchange answer 541283](https://unix.stackexchange.com/a/541283), should just verify that someone is not able to execute a file he does not have access to.
Author
Owner

DuckDuckGo search Linux remove ACL.

DuckDuckGo search *Linux remove ACL*.
Author
Owner

The Unix Stack Exchange answer 347478:

setfacl --help
Output:
setfacl 2.3.1 -- set file access control lists
Usage: setfacl [-bkndRLP] { -m|-M|-x|-X ... } file ...
  -m, --modify=acl        modify the current ACL(s) of file(s)
  -M, --modify-file=file  read ACL entries to modify from file
  -x, --remove=acl        remove entries from the ACL(s) of file(s)
  -X, --remove-file=file  read ACL entries to remove from file
  -b, --remove-all        remove all extended ACL entries
  -k, --remove-default    remove the default ACL
      --set=acl           set the ACL of file(s), replacing the current ACL
      --set-file=file     read ACL entries to set from file
      --mask              do recalculate the effective rights mask
  -n, --no-mask           don't recalculate the effective rights mask
  -d, --default           operations apply to the default ACL
  -R, --recursive         recurse into subdirectories
  -L, --logical           logical walk, follow symbolic links
  -P, --physical          physical walk, do not follow symbolic links
      --restore=file      restore ACLs (inverse of `getfacl -R')
      --test              test mode (ACLs are not modified)
  -v, --version           print version and exit
  -h, --help              this help text
Note:
  -m, --modify=acl        modify the current ACL(s) of file(s)
...
  -b, --remove-all        remove all extended ACL entries
[The Unix Stack Exchange answer 347478](https://unix.stackexchange.com/a/347478): ```bash setfacl --help ``` <details> <summary>Output:</summary> ``` setfacl 2.3.1 -- set file access control lists Usage: setfacl [-bkndRLP] { -m|-M|-x|-X ... } file ... -m, --modify=acl modify the current ACL(s) of file(s) -M, --modify-file=file read ACL entries to modify from file -x, --remove=acl remove entries from the ACL(s) of file(s) -X, --remove-file=file read ACL entries to remove from file -b, --remove-all remove all extended ACL entries -k, --remove-default remove the default ACL --set=acl set the ACL of file(s), replacing the current ACL --set-file=file read ACL entries to set from file --mask do recalculate the effective rights mask -n, --no-mask don't recalculate the effective rights mask -d, --default operations apply to the default ACL -R, --recursive recurse into subdirectories -L, --logical logical walk, follow symbolic links -P, --physical physical walk, do not follow symbolic links --restore=file restore ACLs (inverse of `getfacl -R') --test test mode (ACLs are not modified) -v, --version print version and exit -h, --help this help text ``` </details> <details> <summary>Note:</summary> ``` -m, --modify=acl modify the current ACL(s) of file(s) ... -b, --remove-all remove all extended ACL entries ``` </details>
Author
Owner
ls -lah
Output:
total 40K
drwxrwx---+ 4 user_0 user_0 4.0K Feb 22 12:44 .
drwxr-xr-x  6 root   root   4.0K Feb 22 12:28 ..
-rw-rwx---+ 1 user_0 user_0    9 Feb 22 12:12 .bash_history
...
setfacl -b .

does not return anything.

ls -lah
Output:
total 40K
drwx------  4 user_0 user_0 4.0K Feb 22 12:44 .
drwxr-xr-x  6 root   root   4.0K Feb 22 12:28 ..
-rw-rwx---+ 1 user_0 user_0    9 Feb 22 12:12 .bash_history
...
```bash ls -lah ``` <details> <summary>Output:</summary> ``` total 40K drwxrwx---+ 4 user_0 user_0 4.0K Feb 22 12:44 . drwxr-xr-x 6 root root 4.0K Feb 22 12:28 .. -rw-rwx---+ 1 user_0 user_0 9 Feb 22 12:12 .bash_history ... ``` </details> ```bash setfacl -b . ``` does not return anything. ```bash ls -lah ``` <details> <summary>Output:</summary> ``` total 40K drwx------ 4 user_0 user_0 4.0K Feb 22 12:44 . drwxr-xr-x 6 root root 4.0K Feb 22 12:28 .. -rw-rwx---+ 1 user_0 user_0 9 Feb 22 12:12 .bash_history ... ``` </details>
Author
Owner
setfacl -R -b .

does not return anything.

ls -lah
Output:
total 40K
drwx------ 4 user_0 user_0 4.0K Feb 22 12:44 .
drwxr-xr-x 6 root   root   4.0K Feb 22 12:28 ..
-rw------- 1 user_0 user_0    9 Feb 22 12:12 .bash_history
...
```bash setfacl -R -b . ``` does not return anything. ```bash ls -lah ``` <details> <summary>Output:</summary> ``` total 40K drwx------ 4 user_0 user_0 4.0K Feb 22 12:44 . drwxr-xr-x 6 root root 4.0K Feb 22 12:28 .. -rw------- 1 user_0 user_0 9 Feb 22 12:12 .bash_history ... ``` </details>
Author
Owner
chmod a+x .

Source: the Unix Stack Exchange answer 94217

does not return anything.

ls -lah .
Output:
ls -lah .
total 40K
drwx--x--x 4 user_0 user_0 4.0K Feb 22 12:44 .
drwxr-xr-x 6 root   root   4.0K Feb 22 12:28 ..
-rw------- 1 user_0 user_0    9 Feb 22 12:12 .bash_history
...
```bash chmod a+x . ``` Source: [the Unix Stack Exchange answer 94217](https://unix.stackexchange.com/a/94217) does not return anything. ```bash ls -lah . ``` <details> <summary>Output:</summary> ``` ls -lah . total 40K drwx--x--x 4 user_0 user_0 4.0K Feb 22 12:44 . drwxr-xr-x 6 root root 4.0K Feb 22 12:28 .. -rw------- 1 user_0 user_0 9 Feb 22 12:12 .bash_history ... ``` </details>
Author
Owner
mkdir new_folder/
ls -lh
Output:
total 52K
drwxr-xr-x 2 benjamin_loison benjamin_loison 4.0K Feb 22 13:17 new_folder
...
chmod o-rwx new_folder/
ls -lh
Output:

total 52K
drwxr-x--- 2 benjamin_loison benjamin_loison 4.0K Feb 22 13:17 new_folder
...

```bash mkdir new_folder/ ls -lh ``` <details> <summary>Output:</summary> ``` total 52K drwxr-xr-x 2 benjamin_loison benjamin_loison 4.0K Feb 22 13:17 new_folder ... ``` </details> ```bash chmod o-rwx new_folder/ ls -lh ``` <details> <summary>Output:</summary> ``` ``` total 52K drwxr-x--- 2 benjamin_loison benjamin_loison 4.0K Feb 22 13:17 new_folder ... ``` ``` </details>
Author
Owner
/home/user_0/test.sh:
#!/bin/bash

echo test
chmod a+x test.sh
ls -lh test.sh
-rwxr-xr-x 1 user_0 user_0 23 Feb 22 13:40 test.sh
./test.sh
test
<details> <summary><code>/home/user_0/test.sh</code>:</summary> ```bash #!/bin/bash echo test ``` </details> ```bash chmod a+x test.sh ``` ```bash ls -lh test.sh ``` ``` -rwxr-xr-x 1 user_0 user_0 23 Feb 22 13:40 test.sh ``` ```bash ./test.sh ``` ``` test ```
Author
Owner

As user_2:

ls -lh /home/user_0/
ls: cannot open directory '/home/user_0/': Permission denied
ls -lh /home/user_0/test.sh
-rwxr-xr-x 1 user_0 user_0 23 Feb 22 13:40 /home/user_0/test.sh
chmod o=x test.sh
Output:
ls -lh test.sh
-rwxr-x--x 1 user_0 user_0 23 Feb 22 13:40 test.sh
chmod o-x test.sh
ls -lh /home/user_0/test.sh
-rwxr-xr-- 1 user_0 user_0 23 Feb 22 13:40 /home/user_0/test.sh
As `user_2`: ```bash ls -lh /home/user_0/ ``` ``` ls: cannot open directory '/home/user_0/': Permission denied ``` ```bash ls -lh /home/user_0/test.sh ``` ``` -rwxr-xr-x 1 user_0 user_0 23 Feb 22 13:40 /home/user_0/test.sh ``` ```bash chmod o=x test.sh ``` <details> <summary>Output:</summary> ``` ls -lh test.sh -rwxr-x--x 1 user_0 user_0 23 Feb 22 13:40 test.sh ``` </details> ```bash chmod o-x test.sh ls -lh /home/user_0/test.sh ``` ``` -rwxr-xr-- 1 user_0 user_0 23 Feb 22 13:40 /home/user_0/test.sh ```
Author
Owner

DuckDuckGo search Linux allow traversing directory.

DuckDuckGo search *Linux allow traversing directory*.
Author
Owner

The Super User answer 792908 seems to show how to leak metadata of files in parent folders only to the given user.

[The Super User answer 792908](https://superuser.com/a/792908) seems to show how to leak metadata of files in parent folders only to the given user.
Author
Owner

I verified the metadata leak issue from a fresh environment.

I verified the metadata leak issue from a fresh environment.
Author
Owner
See the message:
-----BEGIN PGP MESSAGE-----

hF4DTQa9Wom5MBgSAQdAnqhq/RFtklAZ9dEWBjGKpxjR0fMaiLvG9oTa7Slp+l0w
VvXPJiZ2+hJqUpcZfl1OYUFT1ivhJZcQdcLKnmtT5JhUyitX0Ra2elmyfLtwgBqC
0qoBtN8Vl8J7NgnWRSI/Yvgfa6y7bPmluIN3BNZRSD18wM2Y6uB486KHJlfhXx9j
kYfFJoCm//KaZIOARsFAmKjT2yVNAnoLzjOe3QcpUsafh/Kb7P2dGPAi+xsJDxa9
/NEJsZs9iJaOO9BlYhXwVFzGkblQ+N+S8F5TP53LeG73Jro3s6I39R0pxVrqPHfY
joS9wFHYRJ7UvgysjFYyhBeA79evTWetHFp4sQ==
=0Bq7
-----END PGP MESSAGE-----
<details> <summary>See the message:</summary> ``` -----BEGIN PGP MESSAGE----- hF4DTQa9Wom5MBgSAQdAnqhq/RFtklAZ9dEWBjGKpxjR0fMaiLvG9oTa7Slp+l0w VvXPJiZ2+hJqUpcZfl1OYUFT1ivhJZcQdcLKnmtT5JhUyitX0Ra2elmyfLtwgBqC 0qoBtN8Vl8J7NgnWRSI/Yvgfa6y7bPmluIN3BNZRSD18wM2Y6uB486KHJlfhXx9j kYfFJoCm//KaZIOARsFAmKjT2yVNAnoLzjOe3QcpUsafh/Kb7P2dGPAi+xsJDxa9 /NEJsZs9iJaOO9BlYhXwVFzGkblQ+N+S8F5TP53LeG73Jro3s6I39R0pxVrqPHfY joS9wFHYRJ7UvgysjFYyhBeA79evTWetHFp4sQ== =0Bq7 -----END PGP MESSAGE----- ``` </details>
Sign in to join this conversation.
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Benjamin_Loison/linux#60
No description provided.