How to make a user able without root to share a folder with given other user(s) #60

New Issue

Benjamin_Loison · 2025-01-23T15:55:18+01:00

Benjamin_Loison commented

2025-01-23 15:55:18 +01:00

See #59.

Benjamin_Loison commented

2025-02-22 12:10:16 +01:00

The persons:

may be interested in a solution as the 2 formers do not seem to be aware of any.

<details> <summary>The persons:</summary> ``` -----BEGIN PGP MESSAGE----- hF4DTQa9Wom5MBgSAQdAbVD1Fr1s/4JfZDgkHO2hSZ3jzxkp7l3r9YF4N3mMuWIw xdDO5OF3iP+/e0hr77lftNy1wbPhK7j7fqlyaFZSHduTiHlFaoe1iZhtzVzSqnAM 0l0BBelzs5K4roxSPtFbAuH8J/ldR7/HU1j9nl0ktfjV3JwfVlI617gjmdmYTHCQ ZA37GmpdhkiFCNMtY0NCObVp9dBiogHupfJdI9zzjwa5uVcfFMvTeZikNSxK4Ss= =IfJO -----END PGP MESSAGE----- ``` </details> may be interested in a solution as the 2 formers do not seem to be aware of any.

Benjamin_Loison commented

2025-02-22 12:11:01 +01:00

So the aim is not to create a group for all (used) combinations of user permission access, even if teams to some extent work that way. We want subteams somehow.

Benjamin_Loison commented

2025-02-22 12:11:22 +01:00

DuckDuckGo search Linux give access to a user to a folder.

DuckDuckGo search *Linux give access to a user to a folder*.

Benjamin_Loison commented

2025-02-22 12:16:20 +01:00

Benjamin_Loison/adduser/issues/1 would help.

[Benjamin_Loison/adduser/issues/1](https://codeberg.org/Benjamin_Loison/adduser/issues/1) would help.

Benjamin_Loison commented

2025-02-22 12:29:51 +01:00

mkdir ~/folder_to_share_with_user_0_and_1/

```bash mkdir ~/folder_to_share_with_user_0_and_1/ ```

Benjamin_Loison commented

2025-02-22 12:30:29 +01:00

In theory can leverage the chown other user group to have both users having access, but let us consider the cleaner more general case.

In theory can leverage the `chown` other user group to have both users having access, but let us consider the cleaner more general case.

Benjamin_Loison commented

2025-02-22 12:32:38 +01:00

I like recursivity so let us look for recursive approach.

Having to run again the permission grant on new recursive folder is fine in my opinion for the moment.

I like recursivity so let us look for recursive approach. Having to run again the permission grant on new recursive folder is fine in my opinion for the moment.

Benjamin_Loison commented

2025-02-22 12:33:12 +01:00

FOLDER=~/folder_to_share_with_user_0_and_1/sub_folder_to_share_with_user_0_and_1
mkdir $FOLDER/
echo secret > $FOLDER/file_to_share_with_user_0_and_1.txt

```bash FOLDER=~/folder_to_share_with_user_0_and_1/sub_folder_to_share_with_user_0_and_1 mkdir $FOLDER/ echo secret > $FOLDER/file_to_share_with_user_0_and_1.txt ```

Benjamin_Loison commented

2025-02-22 12:41:54 +01:00

From user_1:

ls /home/user_0/

ls: cannot open directory '/home/user_0/': Permission denied

on Debian 12 GNOME.

From `user_1`: ```bash ls /home/user_0/ ``` ``` ls: cannot open directory '/home/user_0/': Permission denied ``` on Debian 12 GNOME.

Benjamin_Loison commented

2025-02-22 12:42:16 +01:00

So the aim is not to have access to /home/user_0/ but just the mentioned subfolder.

So the aim is not to have access to `/home/user_0/` but just the mentioned subfolder.

Benjamin_Loison commented

2025-02-22 12:42:33 +01:00

ls /home/user_0/folder_to_share_with_user_0_and_1/

ls: cannot access '/home/user_0/folder_to_share_with_user_0_and_1/': Permission denied

```bash ls /home/user_0/folder_to_share_with_user_0_and_1/ ``` ``` ls: cannot access '/home/user_0/folder_to_share_with_user_0_and_1/': Permission denied ```

Benjamin_Loison commented

2025-02-22 12:43:51 +01:00

ls -lha

Output:

total 36K
drwx------  3 user_0 user_0 4.0K Feb 22 12:29 .
drwxr-xr-x  6 root   root   4.0K Feb 22 12:28 ..
-rw-------  1 user_0 user_0    9 Feb 22 12:12 .bash_history
...
drwxrwxr-x 2 user_0 user_0 4.0K Feb 22 12:30 folder_to_share_with_user_0_and_1

As user_0:

setfacl -R -m u:user_1:rwx folder_to_share_with_user_0_and_1/

Source: the Ask Ubuntu answer 809562

does not return anything.

```bash ls -lha ``` <details> <summary>Output:</summary> ``` total 36K drwx------ 3 user_0 user_0 4.0K Feb 22 12:29 . drwxr-xr-x 6 root root 4.0K Feb 22 12:28 .. -rw------- 1 user_0 user_0 9 Feb 22 12:12 .bash_history ... drwxrwxr-x 2 user_0 user_0 4.0K Feb 22 12:30 folder_to_share_with_user_0_and_1 ``` </details> As `user_0`: ```bash setfacl -R -m u:user_1:rwx folder_to_share_with_user_0_and_1/ ``` Source: [the Ask Ubuntu answer 809562](https://askubuntu.com/a/809562) does not return anything.

Benjamin_Loison commented

2025-02-22 12:44:28 +01:00

ls -lha

Output:

total 36K
drwx------  3 user_0 user_0 4.0K Feb 22 12:29 .
drwxr-xr-x  6 root   root   4.0K Feb 22 12:28 ..
-rw-------  1 user_0 user_0    9 Feb 22 12:12 .bash_history
...
drwxrwxr-x+ 3 user_0 user_0 4.0K Feb 22 12:31 folder_to_share_with_user_0_and_1

```bash ls -lha ``` <details> <summary>Output:</summary> ``` total 36K drwx------ 3 user_0 user_0 4.0K Feb 22 12:29 . drwxr-xr-x 6 root root 4.0K Feb 22 12:28 .. -rw------- 1 user_0 user_0 9 Feb 22 12:12 .bash_history ... drwxrwxr-x+ 3 user_0 user_0 4.0K Feb 22 12:31 folder_to_share_with_user_0_and_1 ``` </details>

Benjamin_Loison commented

2025-02-22 12:45:50 +01:00

On user_1 still face:

ls /home/user_0/folder_to_share_with_user_0_and_1/

ls: cannot access '/home/user_0/folder_to_share_with_user_0_and_1/': Permission denied

On `user_1` still face: ```bash ls /home/user_0/folder_to_share_with_user_0_and_1/ ``` ``` ls: cannot access '/home/user_0/folder_to_share_with_user_0_and_1/': Permission denied ```

Benjamin_Loison commented

2025-02-22 12:46:22 +01:00

ls /home/

benjamin_loison  user_0  user_1  user_2

As user_0:

setfacl -R -m u:user_1:rwx .

does not return anything.

```bash ls /home/ ``` ``` benjamin_loison user_0 user_1 user_2 ``` As `user_0`: ```bash setfacl -R -m u:user_1:rwx . ``` does not return anything.

Benjamin_Loison commented

2025-02-22 12:47:12 +01:00

As user_1:

tree /home/user_0/

Output:

/home/user_0/
\u2514\u2500\u2500 folder_to_share_with_user_0_and_1
\Uffffffff\Uffffffff\Uffffffff \u2514\u2500\u2500 sub_folder_to_share_with_user_0_and_1
\Uffffffff\Uffffffff\Uffffffff     \u2514\u2500\u2500 file_to_share_with_user_0_and_1.txt

3 directories, 1 file

cat /home/user_0/folder_to_share_with_user_0_and_1/sub_folder_to_share_with_user_0_and_1/file_to_share_with_user_0_and_1.txt

secret

As `user_1`: ```bash tree /home/user_0/ ``` <details> <summary>Output:</summary> ``` /home/user_0/ \u2514\u2500\u2500 folder_to_share_with_user_0_and_1 \Uffffffff\Uffffffff\Uffffffff \u2514\u2500\u2500 sub_folder_to_share_with_user_0_and_1 \Uffffffff\Uffffffff\Uffffffff \u2514\u2500\u2500 file_to_share_with_user_0_and_1.txt 3 directories, 1 file ``` </details> ```bash cat /home/user_0/folder_to_share_with_user_0_and_1/sub_folder_to_share_with_user_0_and_1/file_to_share_with_user_0_and_1.txt ``` ``` secret ```

Benjamin_Loison commented

2025-02-22 12:50:43 +01:00

As user_0:

ls /home/user_0/

ls: cannot open directory '/home/user_0/': Permission denied

so this is not perfect but it is a good start.

How can we figure out what users we gave access to?

As `user_0`: ```bash ls /home/user_0/ ``` ``` ls: cannot open directory '/home/user_0/': Permission denied ``` so this is not perfect but it is a good start. How can we figure out what users we gave access to?

Benjamin_Loison commented

2025-02-22 12:50:56 +01:00

DuckDuckGo search Linux list ACL.

DuckDuckGo search *Linux list ACL*.

Benjamin_Loison commented

2025-02-22 12:51:36 +01:00

As user_0:

getfacl .

Output:

# file: .
# owner: user_0
# group: user_0
user::rwx
user:user_1:rwx
group::---
mask::rwx
other::---

As `user_0`: ```bash getfacl . ``` <details> <summary>Output:</summary> ``` # file: . # owner: user_0 # group: user_0 user::rwx user:user_1:rwx group::--- mask::rwx other::--- ``` </details>

Benjamin_Loison commented

2025-02-22 12:52:48 +01:00

DuckDuckGo search Linux give access to a user to a folder without giving access to parent folder.

Maybe x may help, see the Unix Stack Exchange answer 541283, should just verify that someone is not able to execute a file he does not have access to.

DuckDuckGo search *Linux give access to a user to a folder without giving access to parent folder*. Maybe `x` may help, see [the Unix Stack Exchange answer 541283](https://unix.stackexchange.com/a/541283), should just verify that someone is not able to execute a file he does not have access to.

Benjamin_Loison commented

2025-02-22 12:55:01 +01:00

DuckDuckGo search Linux remove ACL.

DuckDuckGo search *Linux remove ACL*.

Benjamin_Loison commented

2025-02-22 13:07:30 +01:00

The Unix Stack Exchange answer 347478:

setfacl --help

Output:

setfacl 2.3.1 -- set file access control lists
Usage: setfacl [-bkndRLP] { -m|-M|-x|-X ... } file ...
  -m, --modify=acl        modify the current ACL(s) of file(s)
  -M, --modify-file=file  read ACL entries to modify from file
  -x, --remove=acl        remove entries from the ACL(s) of file(s)
  -X, --remove-file=file  read ACL entries to remove from file
  -b, --remove-all        remove all extended ACL entries
  -k, --remove-default    remove the default ACL
      --set=acl           set the ACL of file(s), replacing the current ACL
      --set-file=file     read ACL entries to set from file
      --mask              do recalculate the effective rights mask
  -n, --no-mask           don't recalculate the effective rights mask
  -d, --default           operations apply to the default ACL
  -R, --recursive         recurse into subdirectories
  -L, --logical           logical walk, follow symbolic links
  -P, --physical          physical walk, do not follow symbolic links
      --restore=file      restore ACLs (inverse of `getfacl -R')
      --test              test mode (ACLs are not modified)
  -v, --version           print version and exit
  -h, --help              this help text

Note:

  -m, --modify=acl        modify the current ACL(s) of file(s)
...
  -b, --remove-all        remove all extended ACL entries

[The Unix Stack Exchange answer 347478](https://unix.stackexchange.com/a/347478): ```bash setfacl --help ``` <details> <summary>Output:</summary> ``` setfacl 2.3.1 -- set file access control lists Usage: setfacl [-bkndRLP] { -m|-M|-x|-X ... } file ... -m, --modify=acl modify the current ACL(s) of file(s) -M, --modify-file=file read ACL entries to modify from file -x, --remove=acl remove entries from the ACL(s) of file(s) -X, --remove-file=file read ACL entries to remove from file -b, --remove-all remove all extended ACL entries -k, --remove-default remove the default ACL --set=acl set the ACL of file(s), replacing the current ACL --set-file=file read ACL entries to set from file --mask do recalculate the effective rights mask -n, --no-mask don't recalculate the effective rights mask -d, --default operations apply to the default ACL -R, --recursive recurse into subdirectories -L, --logical logical walk, follow symbolic links -P, --physical physical walk, do not follow symbolic links --restore=file restore ACLs (inverse of `getfacl -R') --test test mode (ACLs are not modified) -v, --version print version and exit -h, --help this help text ``` </details> <details> <summary>Note:</summary> ``` -m, --modify=acl modify the current ACL(s) of file(s) ... -b, --remove-all remove all extended ACL entries ``` </details>

Benjamin_Loison commented

2025-02-22 13:11:07 +01:00

ls -lah

Output:

total 40K
drwxrwx---+ 4 user_0 user_0 4.0K Feb 22 12:44 .
drwxr-xr-x  6 root   root   4.0K Feb 22 12:28 ..
-rw-rwx---+ 1 user_0 user_0    9 Feb 22 12:12 .bash_history
...

setfacl -b .

does not return anything.

ls -lah

Output:

total 40K
drwx------  4 user_0 user_0 4.0K Feb 22 12:44 .
drwxr-xr-x  6 root   root   4.0K Feb 22 12:28 ..
-rw-rwx---+ 1 user_0 user_0    9 Feb 22 12:12 .bash_history
...

```bash ls -lah ``` <details> <summary>Output:</summary> ``` total 40K drwxrwx---+ 4 user_0 user_0 4.0K Feb 22 12:44 . drwxr-xr-x 6 root root 4.0K Feb 22 12:28 .. -rw-rwx---+ 1 user_0 user_0 9 Feb 22 12:12 .bash_history ... ``` </details> ```bash setfacl -b . ``` does not return anything. ```bash ls -lah ``` <details> <summary>Output:</summary> ``` total 40K drwx------ 4 user_0 user_0 4.0K Feb 22 12:44 . drwxr-xr-x 6 root root 4.0K Feb 22 12:28 .. -rw-rwx---+ 1 user_0 user_0 9 Feb 22 12:12 .bash_history ... ``` </details>

Benjamin_Loison commented

2025-02-22 13:11:47 +01:00

setfacl -R -b .

does not return anything.

ls -lah

Output:

total 40K
drwx------ 4 user_0 user_0 4.0K Feb 22 12:44 .
drwxr-xr-x 6 root   root   4.0K Feb 22 12:28 ..
-rw------- 1 user_0 user_0    9 Feb 22 12:12 .bash_history
...

```bash setfacl -R -b . ``` does not return anything. ```bash ls -lah ``` <details> <summary>Output:</summary> ``` total 40K drwx------ 4 user_0 user_0 4.0K Feb 22 12:44 . drwxr-xr-x 6 root root 4.0K Feb 22 12:28 .. -rw------- 1 user_0 user_0 9 Feb 22 12:12 .bash_history ... ``` </details>

Benjamin_Loison commented

2025-02-22 13:15:55 +01:00

chmod a+x .

Source: the Unix Stack Exchange answer 94217

does not return anything.

ls -lah .

Output:

ls -lah .
total 40K
drwx--x--x 4 user_0 user_0 4.0K Feb 22 12:44 .
drwxr-xr-x 6 root   root   4.0K Feb 22 12:28 ..
-rw------- 1 user_0 user_0    9 Feb 22 12:12 .bash_history
...

```bash chmod a+x . ``` Source: [the Unix Stack Exchange answer 94217](https://unix.stackexchange.com/a/94217) does not return anything. ```bash ls -lah . ``` <details> <summary>Output:</summary> ``` ls -lah . total 40K drwx--x--x 4 user_0 user_0 4.0K Feb 22 12:44 . drwxr-xr-x 6 root root 4.0K Feb 22 12:28 .. -rw------- 1 user_0 user_0 9 Feb 22 12:12 .bash_history ... ``` </details>

Benjamin_Loison commented

2025-02-22 13:20:10 +01:00

mkdir new_folder/
ls -lh

Output:

total 52K
drwxr-xr-x 2 benjamin_loison benjamin_loison 4.0K Feb 22 13:17 new_folder
...

chmod o-rwx new_folder/
ls -lh

Output:

total 52K
drwxr-x--- 2 benjamin_loison benjamin_loison 4.0K Feb 22 13:17 new_folder
...

```bash mkdir new_folder/ ls -lh ``` <details> <summary>Output:</summary> ``` total 52K drwxr-xr-x 2 benjamin_loison benjamin_loison 4.0K Feb 22 13:17 new_folder ... ``` </details> ```bash chmod o-rwx new_folder/ ls -lh ``` <details> <summary>Output:</summary> ``` ``` total 52K drwxr-x--- 2 benjamin_loison benjamin_loison 4.0K Feb 22 13:17 new_folder ... ``` ``` </details>

Benjamin_Loison commented

2025-02-22 13:40:17 +01:00

/home/user_0/test.sh:

#!/bin/bash

echo test

chmod a+x test.sh

ls -lh test.sh

-rwxr-xr-x 1 user_0 user_0 23 Feb 22 13:40 test.sh

./test.sh

test

<details> <summary><code>/home/user_0/test.sh</code>:</summary> ```bash #!/bin/bash echo test ``` </details> ```bash chmod a+x test.sh ``` ```bash ls -lh test.sh ``` ``` -rwxr-xr-x 1 user_0 user_0 23 Feb 22 13:40 test.sh ``` ```bash ./test.sh ``` ``` test ```

Benjamin_Loison commented

2025-02-22 13:44:35 +01:00

As user_2:

ls -lh /home/user_0/

ls: cannot open directory '/home/user_0/': Permission denied

ls -lh /home/user_0/test.sh

-rwxr-xr-x 1 user_0 user_0 23 Feb 22 13:40 /home/user_0/test.sh

chmod o=x test.sh

Output:

ls -lh test.sh
-rwxr-x--x 1 user_0 user_0 23 Feb 22 13:40 test.sh

chmod o-x test.sh
ls -lh /home/user_0/test.sh

-rwxr-xr-- 1 user_0 user_0 23 Feb 22 13:40 /home/user_0/test.sh

As `user_2`: ```bash ls -lh /home/user_0/ ``` ``` ls: cannot open directory '/home/user_0/': Permission denied ``` ```bash ls -lh /home/user_0/test.sh ``` ``` -rwxr-xr-x 1 user_0 user_0 23 Feb 22 13:40 /home/user_0/test.sh ``` ```bash chmod o=x test.sh ``` <details> <summary>Output:</summary> ``` ls -lh test.sh -rwxr-x--x 1 user_0 user_0 23 Feb 22 13:40 test.sh ``` </details> ```bash chmod o-x test.sh ls -lh /home/user_0/test.sh ``` ``` -rwxr-xr-- 1 user_0 user_0 23 Feb 22 13:40 /home/user_0/test.sh ```

Benjamin_Loison commented

2025-02-22 13:46:21 +01:00

DuckDuckGo search Linux allow traversing directory.

DuckDuckGo search *Linux allow traversing directory*.

Benjamin_Loison commented

2025-02-22 13:50:28 +01:00

The Super User answer 792908 seems to show how to leak metadata of files in parent folders only to the given user.

[The Super User answer 792908](https://superuser.com/a/792908) seems to show how to leak metadata of files in parent folders only to the given user.

Benjamin_Loison commented

2025-02-22 13:54:40 +01:00

I verified the metadata leak issue from a fresh environment.

Benjamin_Loison commented

2025-02-22 14:06:32 +01:00

See the message:

<details> <summary>See the message:</summary> ``` -----BEGIN PGP MESSAGE----- hF4DTQa9Wom5MBgSAQdAnqhq/RFtklAZ9dEWBjGKpxjR0fMaiLvG9oTa7Slp+l0w VvXPJiZ2+hJqUpcZfl1OYUFT1ivhJZcQdcLKnmtT5JhUyitX0Ra2elmyfLtwgBqC 0qoBtN8Vl8J7NgnWRSI/Yvgfa6y7bPmluIN3BNZRSD18wM2Y6uB486KHJlfhXx9j kYfFJoCm//KaZIOARsFAmKjT2yVNAnoLzjOe3QcpUsafh/Kb7P2dGPAi+xsJDxa9 /NEJsZs9iJaOO9BlYhXwVFzGkblQ+N+S8F5TP53LeG73Jro3s6I39R0pxVrqPHfY joS9wFHYRJ7UvgysjFYyhBeA79evTWetHFp4sQ== =0Bq7 -----END PGP MESSAGE----- ``` </details>

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Benjamin_Loison/linux#60

How to make a user able without root to share a folder with given other user(s) #60

How to make a user able without `root` to share a folder with given other user(s) #60