In Windows, I was able to use the ICACLS utility to set files/folders with a lower integrity, in order to keep them from modifying higher-integrity locations. I'd like to do something like that with Ubuntu. Specifically, I plan to download music torrents but, just in case, I'd like to set things so that nothing can execute from the download folder. Is there some way I could do that? Alternately, maybe I could run the torrent program and the download folder under a completely different user and section it off from the system?
Asked
Active
Viewed 3,510 times
0
-
1Not giving execute permissions on the download folder's contents is enough if just want to stop programs downloaded to that file from being executed. See http://askubuntu.com/questions/311441/how-to-recursively-set-permissions-for-files-only For ACLs on Ubuntu, not necessary in this case, IMHO: https://help.ubuntu.com/community/FilePermissionsACLs – muru Aug 02 '14 at 19:29
1 Answers
1
EDIT: Most would say my answer is overkill, which it is, but if you are unfamiliar with Ubuntu permissions, I'd rather you use overkill than turn you computer into a worthless brick.
Your alternative is probably a good idea, if you are worried about the content you are downloading. Open your terminal (CTRL + ALT + T), and do:
sudo adduser NEWUSERNAME
su NEWUSERNAME
mkdir -p ~/Downloads
cd ~/Downloads
sudo chown -R NEWUSERNAME:NEWUSERNAME ~/Downloads
sudo chmod -R ~/Downloads 600
What that will do is create a new user, add a Downloads folder under that new users home. We make sure the owner and group is only the new user, and that there are only READ & WRITE permissions by the new user in that folder.
Ubuntu, and all Linux systems are much safer when it comes to the traditional Windows threats, clicking links, and running programs. Windows uses exe files, which can be downloaded and launched as soon as you click a link.
You should definitely set your browser preferences to "ask every time", where to download files. That way you will see the type of file being downloaded when Ubuntu asks you where to download the file. exe files, any scripts -> (*.sh), or other odd or suspicious files... "JUST SAY NO!" ...Just hit cancel.
Also, if you have a file with no file extension, or any file, you can check it out by doing:
cat filename
...and look for any suspicious scripts within its content.
Lastly, after downloading a file, it may have different permissions from where it was downloaded, so you can run this again, just to be safe:
sudo chmod -R ~/Downloads 600
You can check the Owner, Group, and permissions for Owner, Group, and Others within a directory or for a file using:
ls -al
ls -al FILENAME
ls -al DIRECTORYNAME
This explains permissions with both letters and numbers: http://www.draac.com/chmodchart.html
I hope that helps.
SudoSURoot
- 2,829
- 2
- 14
- 16
-
Great answer! Two further questions: 1) Would that prevent me from accessing music files? and 2) Do your steps for creating a new username automatically include any subfolders that are created within the download folder? I'll most likely also include the torrent program and the media program in the new user name. – BKilpat01 Aug 02 '14 at 22:19
-
No, you only need read access for using music files, unless the player you are using is considered being a user/group of its own. When you create a newuser by command line/terminal it only creates the bare minimum. a home folder. (ex /home/newuser) which is why I said to change to the new user then create the downloads folder with: su newuser && mkdir -p ~/Downloads – SudoSURoot Aug 08 '14 at 19:26
-
If the player is using a different user group, you can open it and as any user, run:
ps -auxto check for the player, find the name of it's user, group should be the same, and you could add the player to your folders group.sudo usermod -a -G YourNewUserName PlayersUserNameThis is what that is actually doing: sudo usermod -a -G groupName userName taken from top answer here: http://askubuntu.com/questions/79565/add-user-to-existing-group Then you can do:chmod -R 660 ~/Downloadsas your newuser. That gives read/write permissions to the group the player was added to. – SudoSURoot Aug 08 '14 at 19:34