Finder can't restore permissions on boot HD

[mcj]

OK, here's the background info:
Some time ago, to allow remote document sharing with colleagues, I setup user accounts on my eMac & enabled file sharing. This allowed ftp access to the various accounts.
The thing that had bothered me, was that once logged-in to an account (as I did using Cyberduck), a user could move up beyond their own user folder and into the folders of other users.
I got around that, for the most part, by setting permissions on the various users folders so that the "owners" of the account had r/w access & I had r/w access (under "Group"). My own account is admin by default.
The part that that didn't work for, was if someone went above the "Users" folder. The entire root directory was left wide open. I felt extremely uncomfortable with such a vulnerability and so thought that the only way to restrict access to the root directory to my account & my OS, was to set he permissions of the boot HD to remain largely unchanged, but to change "others" from Read Only to No Access. Owner remains "system" & Group remains "admin".
It seemed to work a little too well. When I discovered that my default account, via the Finder, no longer had access to the users accounts other than my own. I decided to revert to the HD's previous setting.
Here's the problem:
When I tried to change owner to Me (or anything, for that matter), an error message popped-up stating :

Quote: You need to enter an administrator name and password to access this item, but the Finder cannot complete the process. Either the Finder can't locate the item or the Finder isn't allowed to use the item. Perhaps this is because the Finder was copied or moved.

The Finder was neither copied nor moved. The Finder can still find files & folders and view their properties, but just can't change the permissions anymore.
I also tried to use NetInfo Manager & Enable Root User, but it never enabled (it asked for new root passwords, but never enabled). NetInfo Manager simply didn't work.

How can "others" be restored to Read Only... or is there another fix???

[DeltaMac]

Quote: Originally Posted by mcj It seemed to work a little too well. When I discovered that my default account, via the Finder, no longer had access to the users accounts other than my own. I decided to revert to the HD's previous setting.

You can't access files through the Finder in user accounts other than your own, unless you're logged in as root. The default administrator account does not have access to other user accounts.
Sounds like you had root user enabled and were logged in as root all the time. That would explain why a remote user would log in as you (root) and therefore have access to all parts of the volume

[mcj]

Quote: Originally Posted by DeltaMac Sounds like you had root user enabled and were logged in as root all the time. That would explain why a remote user would log in as you (root) and therefore have access to all parts of the volume

Nope. Root was never enabled & it was never changed since buying my eMac straight from Apple. I could never get NetInfo Manager to Enable Root User. It would just accept my new passwords (which had to be added every single time) and do nothing. When I immediately checked Security, hoping to see Disable Root User, I saw instead Enable Root User. ARRGGGHHH!!!

Quote: Originally Posted by DeltaMac You can't access files through the Finder in user accounts other than your own, unless you're logged in as root. The default administrator account does not have access to other user accounts.

I think that I should've been a bit clearer on this, my apologies.

- Using the Finder, I can open the folders of other users from my default account (which, by default, is given admin status).
- I can see any folders within their accounts, but not their contents, unless permissions have been changed... even with the "no entry" tag on the folder icon.
- I can see any content that I've dragged-and-dropped into the user accounts main folder.

When I logged-in via an ftp client to a users account, I was able to browse "to my hearts content" in places where that user account shouldn't be allowed. i.e. outside of their own folder.

[stetner]

Quote: Originally Posted by mcj When I logged-in via an ftp client to a users account, I was able to browse "to my hearts content" in places where that user account shouldn't be allowed. i.e. outside of their own folder.

Your view of what is and is not allowed in not correct. By allowing a user ftp access, you are giving them the same access as a shell would have. A user can cd to '/' from a shell, and they can see it from ftp. That is normal. In general, the normal file permissions protect you, IE they cannot over write your kernel.

If you want to have the users limited to their home directory and below, you will have to look into 'chroot'ing the ftp daemon to their home directory.

The users can only create/read files in places where they would be able to in a normal shell, so yes, if they choose to upload a 500MB file into /tmp/ they will be able to.

I would say that if you do not trust the user (or cannot punish them when they do something stupid/malicious) do not give them an account. As well, I would disable ftp and have them use sftp with keys, which would be more secure, although they will still have the same access.

Quote: I setup user accounts on my eMac & enabled file sharing. This allowed ftp access to the various accounts

Well, 'file sharing' (from the control panel in system prefs) only gives access to the 'Public' folders in users accounts. You must have enabled 'FTP Access' which enables ftp to where ever that user is normally allowed to access.

[mcj]

Ok. That cleared up a misconception that I seemed to have had.

Quote: Originally Posted by stetner If you want to have the users limited to their home directory and below, you will have to look into 'chroot'ing the ftp daemon to their home directory.

That's something that I'll have to look into, but I have no idea where to start. Being a complete novice with UNIX, I've stayed away from trying anything there.


I still have the issue of restoring the HD's permissions for the Group "other" to Read Only, as it was since since ONE change that caused the initial Finder issue.
(I stupidly thought that "others" simply meant other users, not "everything else within OSX".) I've since discovered that a number of fonts have "disappeared" within various applications. Some apps show the font names, but can't access them while AppleWorks has "lost" about 80% of the fonts. It appears that the permissions problem has had far more reaching consequences than were initially found.

[stetner]

It would be a pain in the a$$ to set up chrooted ftp for multiple users.

I think you need to figure out what you really need to achive, and then maybe we can give some suggestions.

Well, for the 'unix' things that matter, you should be able to run 'Repair Permissions' and that should fix up the system stuff, but it might not fix third party apps you may have messed up with the permission change.

Search this site for more info on 'Repair Permissions'.

[mcj]

Would it be much easier to setup chrooted ftp for just one user (such as a general purpose account) & leave the rest alone?

Thanks for your suggestions. I'll search for 'Repair Permissions' now.

[mcj]

I found help in this thread:Problems using disk utility and terminal, reply by trevor .

Permissions seem to be largely fixed (judging by a couple of test runs of app's). Some fonts are still 'missing', but at least the folder permissions are back to normal. In one test, OS-X asked for my authentication! (I put it back, of course. )

Okay, that's one major headache out of the way.

[MarkDouma]

Quote: Originally Posted by mcj "You need to enter an administrator name and password to access this item, but the Finder cannot complete the process. Either the Finder can't locate the item or the Finder isn't allowed to use the item. Perhaps this is because the Finder was copied or moved."

Sounds like the Finder's 'OwnerGroupTool' may have lost its SetUID bit and/or root ownership. The top picture shows how it should appear normally, and the lower picture shows what would happen after copying it to my Desktop. While the "Change Enclosed Items..." doesn't appear to work for transferring the owner and the group, I think it might work for transferring the read/write/execute bits... That could be what unset them on the Finder's tool, but I'm not necessarily sure. That's sort of what happened to my copy of Disk Utility back in Jaguar....

Also, it seems that at first you perhaps misunderstood what the "Other" permissions meant. Yeah, having stuff set to no access is a bad thing, or at least when it applies to the core parts of the operating system. The other users must be able to have at least read access to the System domain and Library domains in order for their account to work properly.

But keep in mind that just because they can see stuff, does not necessarily mean they can change stuff. That's especially true on the root level of the drive. The reason for this is that the root level has the "Sticky" bit set, meaning only the person that owns the item in that directory may delete that item.

Anyway, hope this helps.....