Update: for my general purposes, what I figured out here is good enough: UPDATE: https://raspberrypi.stackexchange.com/questions/13401/locking-down-raspbian-to-only-allow-limited-features/58778#58778
So it seems to me that Linux permissions function as a white-list (forcefully allow a single, specified user or single, specified group something) rather than a black-list (forcefully deny a single, specified user or single, specified group something). Is this correct? If so, how can I blacklist someone from being able to read, write, or execute in a particular directory or on a set of files?
Ex: ls -l showing a permissions on a directory as drwxr-xr-x means that it's a directory, Users have read, write, execute (rwx) permissions, Groups have r-x permissions, and Others have r-x permissions. Let's say the user is "user0" and the group is "user0".
How do I explicitly allow "user1" and "user2" the ability to do have all permissions on this "user0" directory, "user3" and "user4" get no permissions, and "user5" and "user6 get partial permissions?
It seems to me I'd need to black-list user3 and user4, white-list user1 and user2, and partially white-list or partially black-list user5 and user6.
Since (I think) Linux's permissions are white-list only, what's the best way to achieve this?
Note that part of my confusion lies in the facts that:
- A directory or file can belong to only one user or group at a time (rather than, per say, giving permissions to multiple groups to access a particular directory or file)
- A user can belong to multiple groups
I think I just need some good examples of this stuff.
One partial solution, which helps demonstrate the problem I am having, is as follows:
Let's assume the user0 directory I want to set these permissions on is "/home/user0"
First, make the directory user "user0", and group "user0" (already done by default just by using sudo adduser user0 in the first place). Next, set permissions to "drwxrwx---" (user and group both rwx, but Others nothing)
Allow user1 and user2 all permissions to the directory by adding them each to the user0 group
Give user3 and user4 no permissions: already done since Others have "---" access, and user3 and user4 are NOT part of the user0 group.
Give user5 and user6 partial permissions (ex: "r-x"):-can't be done???? --because if I make the Other permissions "r-x" then it gives that to user3 and user4 too, but I want them to be black-listed (by having "---" permissions).
Background reading I've already done includes:
- How to I use Linux Groups to restrict read, write, execute access by other users to a directory?
- https://stackoverflow.com/questions/527876/how-to-restrict-a-linux-user-to-be-only-able-to-read-home-user-and-nothing-else/527976#527976
- https://raspberrypi.stackexchange.com/questions/13401/locking-down-raspbian-to-only-allow-limited-features/14712#14712
- https://askubuntu.com/questions/88356/changing-ownership-of-home-folders/88396#88396
- https://www.linode.com/docs/tools-reference/linux-users-and-groups