How give the permission to access subfolders in /root?

I need give the permission to read/write in this folder, which are subfolder of /root directory to mike.jackson (for some reason someone crete this folder inside /root) :

/root/Products/Metadata/ApplicationServers/Port8080/Marker/

Given ls -la this are the permission:

total 12
drwxrwxrwx 3 webproject_deployer users 4096 Sep  1  2010 .
drwxrwxrwx 3 webproject_deployer users 4096 Aug  4  2010 ..
drwxrwxrwx 6 webproject_deployer users 4096 Mar 15  2011 xml

So I add mike.jackson to the users group

users:x:100:mike.jackson

Still, he can't access the folder.

This is the owner settings:

webproject_deployer:x:1071:100::/home/webproject_deployer:/bin/bash

The user are authenticate by LDAP, so does mike.jackson. What should I do here ? I don't want to add mike.jackson into sudoers 'cause if I did, I can't guarantee that he won't execute a malicious command as sudo inside this folder.

Valter Silva

Posted 2013-05-03T12:52:28.270

Reputation: 1 331

Comment since this isn't an answer: you really should move this out of this dir. Not only does cause perm issues as you see, but it creates backup and partition issues as well. I'd spend effort to put this in the right space and not try to get perms right. – Rich Homolka – 2013-05-03T15:05:41.547

Answers

The user needs the x permission to every folder in the hierarchy. Usually, the /root directory does not allow any user other than root to enter it, so start there and work your way down.

I suggest you move this somewhere else though, if possible. If you're not careful, data belonging to root might become public accidentally.

Daniel Beck

Posted 2013-05-03T12:52:28.270

Reputation: 98 421

you will need to check the permission chain,

idea:
Can mike access /
Can mike access /root
Can mike access /root/Products
...
Can mike access /root/Products/Metadata/ApplicationServers/Port8080/Marker/mike

read is not necessary, but execute to traverse folder is minimum.

idea: chmod 711 to each folder on the tree

user218473

Posted 2013-05-03T12:52:28.270

Reputation:

The reason this isn't working for you as stated earlier is because the user would need access to the full path not just that specific directory. The best answer is to remove the directory structure from /root. You should not be doing anything in the root directory nor should you allow anything to install or be run from it. The only time you should be logging into root is for system administration tasks. If you need to run an application with elevated privileges then run it as a service or create a specific user, ala Apache or MySql.

One major problem with this is looking at your current structure that application will have root privileges, so if an attacker managed to run malicious code through an exploit they could do untold amounts of damage to the host system. If the application was associated with it's own account it could only be threat to itself not the larger system.

That being said if this is a web application then the server should have 755 permissions and users connecting to it will by extension have the privileges of the server. If this person is a local user who needs rights to administrator the server then the add his user account to the group associated with that particular application and set the groups permissions accordingly.

Matty

Posted 2013-05-03T12:52:28.270

Reputation: 314