mount - How can I grant guest accounts read (or read-write) permission on a folder outside their home? - Ask Ubuntu


i have stuff stored in external partition (ext4) mounted through /etc/fstab location /vms. inside directory, have folder shared should accessible (currently read-only, later maybe read-write) local users, including guest sessions.

however, chmod -r a+r /vms/shared makes files world-readable standard users, not guest sessions, afaik have layer of restrictions through apparmor or denies access outside home.

i have separate account guest-config serves default profile new guest sessions (/etc/guest-session/skel symlink /home/guest-config) able tweak guest profile settings, in case help.

how can unlock specific directory (and files , subdirectories) grant guest accounts read-only or read-write access? using ubuntu 16.04 btw.

(copied answer here, since saw first, , doesn't seem right mark duplicate of question asked later.)

guest sessions locked down using apparmor, uses long list of special permissions keep guest users touching anything. these accessed etc/apparmor.d/lightdm-guest-session.

on machine, file looks this:

# profile restricting lightdm guest session  #include <tunables/global>  /usr/lib/lightdm/lightdm-guest-session {   # applications confined via main abstraction   #include <abstractions/lightdm>    # chromium-browser needs special confinement due sandboxing   #include <abstractions/lightdm_chromium-browser> }

opening "main abstraction" (etc/apparmor.d/abstractions/lightdm) gives more interesting:

... / r, /bin/ rmix, /bin/fusermount px, /bin/** rmix, /cdrom/ rmix, /cdrom/** rmix, /dev/ r, /dev/** rmw, # audio devices etc. owner /dev/shm/** rmw, /etc/ r, /etc/** rmk, ...

these directories restricted session can access, along permissions. if add partition , shared folder list (with trailing /** include subdirectories, , r read permission), future guest sessions have read-only access it.

for read-write permissions, use rw; default permission /var/guest-data. full permissions, use rwlkmix; default permission guest-owned drives in /media. these stand read, write, link, lock, memory-map, , inherit-execute: last 1 gives execution privileges, specifies execution must happen within current confinement (so can't break out of guest restrictions running specially-crafted shell script).


Comments

Post a Comment

Popular posts from this blog

download - Firefox cannot save files (most of the time), how to solve? - Super User

this not full duplicate of this question or this question , though base question same. however, questions have no answers. for on half year have problems downloading files firefox. when click on download link, download dialog opened asking me do, save or open it. immediately, there error/warning pop-up (twice, can see 1 @ first) ok button. looks this message : "c:\users\%user%\appdata\local\temp\wbbdv9k8.zip.part not saved because source file not read. try again later or contact server administrator." replace '%user%' name of user trying download. after closing pop-up, download dialog disappears , have minimize firefox , open again, see other pop-up. downloading exact same file internet explorer work, not desired. i tried solutions here . tried solutions here . tried disabling extensions. tried fixing permissions on temp folder. tried making files , folder in profile directory non-readonly. tried running firefox administrator. tried ...
Read more

windows - "-2146893807 NTE_NOT_FOUND" when repair certificate store - Super User

i try repair certificate store in windows 10 doing c:\windows\system32>certutil -store -user ‎330000019dba8d5dddb98062a900000000019d "personal" certutil: -store command failed: 0x80090011 (-2146893807 nte_not_found) certutil: object not found. i have double check mmc, certificate details serial number of certificate. still fail repair certificate store. can please help? i getting same error when trying export pfx. turns out had export c:\cert.pfx instead of cert.pfx (it trying export file cert store ( cert:\localmachine\my ).
Read more