Hi!
If I understand correctly you want to be able to control what files a user
can update. And you could fix that with either ACL or groups.
Let me try to explain the way it should be done with groups.
users:
games - the user that owns the service
client - the user that should only be able to update certain files.
groups:
games - the group for user games
client - the group for uesr client
path:
/games/cs01
In /etc/groups we specify that the user client are a member of the group
games.
games:*:13:client
Change so games owns all the files
$ chown -R games:games /games/cs01
$ cd /games/cs01
update all files with 600 ( -rw------- )
$ find . -type f -exec chmod 600 {} \;
update all directories to 750 ( drwxr-x--- )
NOTE: r-x must be available on the group so that all the members of the
group games (ie: the user client) can list the files.
$ find . -type d -exec chmod 750 {} \;
Set the executable bit on the binaries ( will become -rwx------ )
$ chmod +ux ./hlds_amd ./hlds_i486 ./hlds_i686 ./hlds_run ./hltv
Now the user games should be able to edit, update files and run the
server. While noone else (exept root) can edit or run it.
Now you need to go through each file/dir that needs to be editable or
writable for the user 'client'
$ chmod +grw <file/dir>
ie: if the user should be able to edit server.cfg
$ chmod +grw cstrike/server.cfg
I dont know if steam will change the file permissions when updating the
server files. So this might be an issue. You just have to test that. Maybe
steam uses the file mask to set the files permissions.
Access Control List (ACL): (if available)
ACL you can specify specific files that the user 'client' can access
without changing any of the actual files permissions. It is way more
powerful than just changing groups.
This simple guide might explain how it works abit. Its for FreeBSD but the
logic is (or should be) the same. Output might differ abit.
http://www.bsdguides.org/guides/freebsd/security/acl_permissions.php
/Bjorn
On Wed, 14 Apr 2010, daniel jokiaho wrote:
> User that?s runs the server: userrun belongs to group grouprun, has
> only write acess to some dirs.
> User that?s updates the server: userupdate belongs to group
> groupupdate and has write acess to all dirs.
>
> Have tried to understand the different manuals and tutorials online.
> Does this seem okey?
>
>
> groupadd grouprun
> useradd -G grouprun userrun
> passwd userrun
>
> groupadd groupupdate
> useradd -G groupupdate userupdate
> passwd userupdate
>
> Goto dir:
> chown userrun:groupupdate ?R .
>
> chmod u+rwX -R . userupdate
> chmod ugo-r -R . userrun
>
> Goto log/other writable dirs:
> chmod u+rwX -R . userrun
>
>
> //Daniel
>
>
>
>
>
>
>
>
>
> 2010/4/13 Tomé Duarte <[email protected]>:
> > Hello Daniel,
> >
> > You should be able to do that by creating:
> > - users: userRunGS & userUpdateGS
> > - groups: groupUpdateGS - add userUpdateGS to this one
> >
> > Then change ownership of every dir/file to userRunGS:groupUpdateGS.
> > After that, change permissions on every dir/file to:
> > - remove userRunGS write permission, leaving it only on the files you want
> > - set writable permission for group groupUpdateGS
> >
> > That way, you can:
> > - run the gameserver with userRunGS; exploits can't write to any file you
> > don't want
> > - update the gameserver with userUpdateGS; since he belongs to
> > groupUpdateGS there won't be any permission problems.
> >
> > If you have any questions on how to add this, I suggest reading the
> > following man pages: chown(1), chmod(1), groupadd(8) and useradd(8). For
> > reference, this
> > <http://tldp.org/HOWTO/Security-HOWTO/file-security.html>might come in
> > handy too.
> >
> > Cheers,
> > Tomé Duarte
> >
> > Connect with me via:
> > Twitter: http://twitter.com/tomeduarte
> > LinkedIn: http://www.linkedin.com/in/tduarte
> >
> >
> > On 13 April 2010 15:54, Cc2iscooL <[email protected]> wrote:
> >
> >> Because there are exploits that allow clients to upload to the server
> >> directories.
> >>
> >> To op, there's plenty of stuff if you google around for chmod.
> >>
> >> On Apr 13, 2010 11:49 AM, "f0rkz" <[email protected]> wrote:
> >>
> >> Sounds like a prickly spider web to me. Why do you need UserX and
> >> UserY, why not just have a user that writes and runs.
> >>
> >> -f0rkz
> >>
> >>
> >> On Tue, 2010-04-13 at 17:29 +0200, Daniel Nilsson wrote:
> >> > Have read some info about how to host a ...
> >> _______________________________________________
> >> To unsubscribe, edit your list preferences, or view the list archives,
> >> please visit:
> >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux
> >>
> > _______________________________________________
> > To unsubscribe, edit your list preferences, or view the list archives,
> > please visit:
> > http://list.valvesoftware.com/mailman/listinfo/hlds_linux
> >
>
> _______________________________________________
> To unsubscribe, edit your list preferences, or view the list archives, please
> visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds_linux
>
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux
