I have the situation where sshd should permit sftp only access to a group of users.
This is easily done by adding a match section like
Match Group groupname
ChrootDirectory /srv/ftp
ForceCommand internal-sftp
Now I need to exclude one user that is a member of this group. He should have normal shell access.
Match User username
ChrootDirectory ???
ForceCommand ???
What do I set here?
Is it possible to unset configuration directives previuosly set with another matching section?
First apply the settings to the group, excluding user username, then apply (other) settings to user username. If you do not use the 'ForceCommand' setting for user username, it is not applied.
Match Group groupname User !username
ChrootDirectory /srv/ftp
ForceCommand internal-sftp
Match User username
PasswordAuthentication yes
Another example is where you may want different settings if the user logs in from different ip-addresses
#all users except username1 and username2 default to sftp
Match User *,!username1,!username2
PasswordAuthentication yes
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp -f LOCAL0 -l INFO
#normal ssh allowed for users username1 and username2 from the local network
Match User username1,username2 Address 192.168.0.0/16
PasswordAuthentication yes
#users username1 and username2 not allowed from other networks
Match User username1,username2 Address *,!192.168.0.0/16
PasswordAuthentication yes
AllowTCPForwarding no
X11Forwarding no
ForceCommand /usr/sbin/nologin
Don't add an extra Match User section. Instead, exclude the user by excluding him from the original Match.
Match Group groupname User !username
ChrootDirectory /srv/ftp
ForceCommand internal-sftp
All criteria on the Match line must be satisfied for the section to be applied.
As Nicolas Mommaerts discovered, there's a bug with negative-only patterns, and you may need to first include everyone with *:
Match Group groupname User *,!username
ChrootDirectory /srv/ftp
ForceCommand internal-sftp
What worked for me is putting the user rule first:
Match user lee
ChrootDirectory /mnt/s3
ForceCommand internal-sftp
Match group ftp
ChrootDirectory /home/%u
ForceCommand internal-sftp
Related
How to only first superAdmin access to a group permissions example(signature permissions), but other admin and superAdmin no access to that (signature permissions)
for example, first SuperAdmin with id = 1 only see and access some permissions and can change it,
and other superAdmin cannot see this permission.
Super admins are defined in the library/config.php file:
$config['superAdmins'] = '1,2,3';
1, 2 and 3 being three different user IDs.
With access sysop and database access how do I change the Email address associated with a user?
The user table in the database has everything encoded as BLOBs. If I can decode and encode those values presumably I can just update user.user_email.
UPDATE user SET user_email='foo#bar.com' WHERE user_id=... should just work. However, if you need to also set the confirmed flag, see instructions here (replace the mwscript line with php maintenance/eval.php). If you need to set their email only so that they could reset their password, see https://www.mediawiki.org/wiki/Manual:Resetting_passwords
You can get a current list of users and emails like this (i.e. decode):
SELECT Cast(user_name AS CHAR), Cast(User_Email AS CHAR) FROM user;
MaxSem's answer did not work for me, but here is a MediaWiki maintenance script (introduced in v1.27) that'll do the trick: https://www.mediawiki.org/wiki/Manual:ResetUserEmail.php
Go to the base directory of your wiki, and type something like this:
php maintenance/resetUserEmail.php uuuu new#email.address
to change user uuuu's email address to new#email.address. By default, this will change the user's password so that the user has to reset it, which can usually be done on the wiki website. You might need to add user name and password for database access, e.g.:
php maintenance/resetUserEmail.php --dbuser myuser --dbpass wordpass uuuu new#email.address
I need your advice on a LDAP structure and associated ACL.
Our LDAP will manage 10 (number may vary) organizations which contains users (total of 250 users)
I want 1 user by organization to be allowed to manage all the users of his own organization.
Users will also be attached to custom groups.
What is the best LDAP structure for that ?
My first idea is the following :
Groups :
dn: cn=Manager,ou=Roles,ou=Groups
objectClass: posixGroup
objectClass: top
cn: Manager
gidNumber: 10100
memberUid: user1
memberUid: user3
dn: cn=Structure1,ou=Structures,ou=Groups
objectClass: posixGroup
cn: Structure1
gidNumber: 10000
description: Structure1
memberUid: user1
memberUid: user2
dn: cn=Structure2,ou=Structures,ou=Groups
objectClass: posixGroup
cn: Structure2
gidNumber: 10001
description: Structure2
memberUid: user3
memberUid: user4
user1 should be allowed to edit user user2 but not user3 or user4
user3 should be allowed to edit user1 but not user2
I actually get stuck on ACL because I don't success to user the groups of an entry using ACL set method.
I would like doing something like this :
{1}to dn.children="ou=Users" by set="[cn=]+this/groups+[,ou=Structures,ou=Groups]/memberUid & user/uid" write by * read
I am able to use groupOfNames if better than posixGroup
I've already read :
http://www.openldap.org/doc/admin24/access-control.html
http://www.openldap.org/faq/data/cache/1133.html
http://www.openldap.org/faq/data/cache/1134.html
My contribution is one option to solve this situation. I know it's been a while, but i hope this helps to someone out there.
- Change to groupofnames or organizationalrole (the last one support empty groups) both require a dn as member.
- Enable memberof overlay, to enable the memberof operational attribute on the user (this will add the list of groups where the user is a member of, to an attribute in the user entry)
olcMemberOfGroupOC: organizationalRole
olcMemberOfMemberAD: roleOccupant
olcMemberOfMemberOfAD: groups ("groups" is the operational attribute added to the user)
Once both actions where performed and you're sure the users has values on the groups operational attribute, according to the original question, here are 2 scenarios:
1st scenario - user1 is allowed to write user3,ou=users as they belongs to cn=Manager,ou=Roles,ou=Groups
2nd scenario - user1 is allowed to write user2,ou=users as they belongs to cn=Structure1,ou=Structures,ou=Groups
by set="this/groups & user/groups" write
This acl allows write whenever both users (the modified and the modifier) have the same group, the the acl will set write privileges.
user=user1,ou=users
"user/groups" get the values of the modifier groups attribute. cn=Manager,ou=Roles,ou=Groups - cn=Structure1,ou=Structures,ou=Groups.
this=user3,ou=users
"this/groups" get the values of the modified object groups attribute. cn=Manager,ou=Roles,ou=Groups and cn=Structure2,ou=Structures,ou=Groups
this=user2,ou=users
"this/groups" get the values of the modified object groups attribute. cn=Manager,ou=Roles,ou=Groups and cn=Structure1,ou=Structures,ou=Groups
I hope this solves the question and be useful to anyone struggling with openldap acl's as i did some days ago.
Best regards!!
I want an auto username suggestion if a username is already used ,using mysql procedure
By User Name suggestion, do you mean you want a type-ahead autocomplete on a login form (i.e. once you type a few characters of your user name, the application will show all user names matching the supplied user name), or do you you mean a suggestion box that provides potential alternate user names if new user supplies an existing user name?
If you're looking for the first, I would recommend avoiding this. By providing a server-side autocomplete for user names, you are providing a simple way to access the names of all users in your system and reducing security (as people trying to access your site without permission will only need to determine a password instead of a user name and password).
If it's the second, one common approach is to append numbers at the end of an existing user name to provide a user name that does not exist. I would recommend doing this in a combination of MySQL and whatever server-side language you are using.
First, get all user names that start with the user name that was supplied (and already exists):
SELECT user_name FROM users where user_name LIKE #userName + '%'
Then, in your server side language, do the following (pseudo-code)
let user = username supplied (already exists)
let recordset = recordset from db call (above)
i = 0
alternateCount = 0
alternatesFound = new string[5]
while (alternateCount < 5 And i < 100)
potentialName = user + i
if (recordset does not contain potentialName)
alternatesFound[alternateCount] = potentialName
alternateCount++
end if
end while
What this does is attempts to insert sucessive numbers (1,2,3) etc. to the supplied user name until it finds 5 cases where the user name is unique. It also does a maximum of 100 iterations in case user1 - user99 is taken (you could increase this but a limit isn't a bad idea.
I have been reading carefully through the MediaWiki documentation but I have not been able to find out how to create new groups.
When I look at Special:Userrights, I see only 3 groups :
Bots, Sysops, Bureaucrats
I would like to create my own custom groups, so I can use some extensions like the http://www.mediawiki.org/wiki/Extension:Group_Based_Access_Control.
Can someone tell me how it's done, or point me to some documentation?
You can add permissions for new groups to your LocalSettings.php file and they will automatically appear in the Special:UserRights page.
For example, I wanted to disallow editing by regular users but create a "Trusted" group that was allowed to edit. The following code creates a "Trusted" group that is equal to the "user" group, except that "Trusted" users can edit but "user" users cannot.
$wgGroupPermissions['Trusted'] = $wgGroupPermissions['user'];
$wgGroupPermissions['user' ]['edit'] = false;
$wgGroupPermissions['Trusted']['edit'] = true;
$wgGroupPermissions['sysop' ]['edit'] = true;
On the Special:UserRights page, I can now check the "Trusted" box to make users trusted.
You can alter the appearance of the group name by creating the following messages:
(For a group named ninja:)
MediaWiki:Group-ninja (content: Ninjas)
MediaWiki:Group-ninja-member (content: ninja)
MediaWiki:Grouppage-ninja (content: Project:Ninjas)
This will insure that the group will be referred to as "Ninjas" throughout the interface, and a member will be referred to as a "ninja", and overviews will link the groupname to Project:Ninjas.
(source: http://www.mediawiki.org/wiki/Manual:User_rights#Examples)
Here you will find a List of Permissions. http://www.mediawiki.org/wiki/Manual:User_rights
I beleive I have found the answer, I just need to add the UserGroup and the permission to the wgGroupPermissions array in the LocalSettings.php file.
$wgGroupPermissions['TomatoUsers']['read'] = true;
$wgGroupPermissions['TomatoUsers']['edit'] = false;
I don't have the reputation to vote up the first answer (which can also be added to extension initialization files), but for when you get to adding users to your groups you may want to consider directly editing the database (ie. if you need to sync the wiki groups with external information). If you open the database "wikidb" the "PREFIX_user_groups"* table contains the mapping between user IDs (ug_user) and group names (ug_group). This table, combined with the "PREFIX_user"* table's name information (user_name) and ID information (user_id), give you all the information to add and remove large numbers of users from groups.
* Replace "PREFIX" with the database prefix you used for your wiki.