How to prevent a new user from doing anything dangerous?

server user-management users

Solution 1:

This is as designed. And worse. chmod 777 means... "I'd like the owner, anyone in his group, and anyone at all to have read, write and execute permissions"

Which is pretty terrible.

And for a web server, 777 is not optimal. 755 (Owner has full permissions group and others have read + execute) is a common default but from what you've said you want at least read-write, or read-write execute for the owner (the web server user), and maybe the group, and no permissions for the user. There's a more complete questions on what appropriate permissions levels are on serverfault but consider something like 640 or 740.

that said, you could also put the user in his own little world - setting up chroot to keep the user in his own space in the system. There's guides floating around for doing this - for example oli's excellent answer here which may be an option depending on your needs.

Solution 2:

Essentially, it breaks down like this:

R = 4 (read)
W = 2 (write)
X = 1 (execute)

So, read permissions only would be 4, read and write would be 6, read and execute would be 5, and all (read, write, execute) is 7. This is how you compute a permission octet value for an owner, owner's group, or everyone.

When applying those permissions with chmod to a file or directory location, the numbers computed above are applied like this, with an octet each for owner, group, and everyone:

     $ chmod _ _ _ <file or directory>
             | | |
owner--------  | |
owner's group--  |
everyone---------

So if I wanted to give myself and my group read, write and execute permissions to a folder that I owned, but I didn't want everyone to even be able to read it, I'd use:

$ chmod 770 myDirectory

For more information, check the man page for chmod:

$ man chmod

Solution 3:

As others have mentioned you should not have permissions set to 777

Here's a helpful reference sheet that i use. 

+-----+---+--------------------------+
| rwx | 7 | Read, write and execute  |
| rw- | 6 | Read, write              |
| r-x | 5 | Read, and execute        |
| r-- | 4 | Read,                    |
| -wx | 3 | Write and execute        |
| -w- | 2 | Write                    |
| --x | 1 | Execute                  |
| --- | 0 | no permissions           |
+------------------------------------+
You can use the octal notation, where the three digits correspond to the user, then group, then other. 
Perhaps this might help 
+------------+------+-------+
| Permission | Octal| Field |
+------------+------+-------+
| rwx------  | 700  | User  |
| ---rwx---  | 070  | Group |
| ------rwx  | 007  | Other |
+------------+------+-------+

Solution 4:

In order to share files with a person you gave a login to, you don't need to do anything in particular. On a default Debian installation, users have access to each others' home directories.

For instance,

$ ls -ld ~
drwxr-xr-x 65 zwets zwets 4096 Sep 29 12:06 /home/zwets

Permissions on my home directory are read (r) and access (x) for any user on my system. Only I additionally have write (w) access.

Also, the default umask on Ubuntu is such that files and directories that users create are world readable by default. You could set the umask to 077 if you didn't want that.

What this means that in a default setup, if user you wants to share document ~/README.txt with me, then there's nothing you needs to do. I can simply view it:

$ who am i
zwets    pts/26       2016-09-29 08:05 (:pts/19:S.6)
$ ls -l ~you/README.txt
-rw-r--r-- 1 you you 24 Sep  8 11:23 /home/you/README.txt
$ cat ~you/README.txt
You's shared thoughts.

I can't edit or remove the file, but I can copy it to a location where I have write permission. Then I own the copy:

$ echo "Adding my thoughts." >> ~you/README.txt
bash: /home/you/README.txt: Permission denied
$ rm ~you/README.txt
rm: remove write-protected regular file '/home/you/README.txt'? yeah!
rm: cannot remove '/home/you/README.txt': Permission denied
$ cp ~you/README.txt ~zwets
$ ls -l ~/README.txt
-rw-r--r-- 1 zwets zwets 24 Sep  29 14:09 /home/zwets/README.txt

There are good reasons why most of the system is world readable by default, as I've explained in another answer on AskUbuntu. However, on a shared system it may make sense to make home directories inaccessible to non-owners:

$ chmod o-rwx ~
$ ls -l ~
drwxr-x--- 65 zwets zwets 4096 Sep 29 12:06 /home/zwets

... as many users apparently aren't aware of the default - QED ;-). It would be wiser though to make users aware that file permissions don't protect secrets.

Solution 5:

In Ubuntu, any user has superuser privilege who are added in the group 'sudo', Please check it to ensure that no other user are added in this group.

To secure your files and directory from other users you can set permission as suggested by Mr. Journeyman Geek in above answer.

You can also use special permissions to secure your files and directories from others.

Related

How to extract and join files xxx.zip, xxx.z01 and xxx.z02
Who makes laptops for Ubuntu?
How do I disable GDM and Graphical User Selection?
How to disable "recent files" folder in Nautilus?
What would happen if I created an account called 'root'?
Where does Transmission save my torrent files?
Upgrade to 15.04: What happened to my gnome-terminal tabs?
How to print a four pages on one page?
Cannot select Bluetooth device from Sound Output
How can one save a file as plain text in TextEdit? [duplicate]
Why am I able to open Wireshark and capture packets in macOS without root privileges?
Future of iTunes and audio files in its library