Access Rights
Nash Computer Technology
following:
I've created two directories, say:
/data/master
/data/master/sub1
/data/master/sub2
I would like to give access to the "sub1" directory to members of the
"group1" group, and access to "sub2" to members of "group2".
From the /data/master directory, I've typed
chgrp -R group1 sub1
chgrp -R group2 sub2
chmod -R g+rw sub1
chmod -R g+rw sub2
This seems to work fine, until a user creates a new file in one of the
subdirectories. The "user" of the new file is set to that user's login
name, and the "group" of the file is set that user's main group ("group" in
this case). Not to mention that the group, "group" only gets "Read" access
and not "Read/Write".
Is there a way to force access rights for new files created within a
directory?
I've looked at umask but that seems to affect all files for a user.
Thanks in advance
David Nash
Steve Wertz
> /data/master
> /data/master/sub1
> /data/master/sub2
> Thanks in advance
> David Nash
From the 'chmod' man-page:
...
s Sets owner or group ID on execution of the file to that of the owner
of the file. The mode ``u+s'' sets the user ID bit for the file.
The mode ``g+s'' sets the group ID bit. Other combinations have no
effect. When the group ID bit is set on a directory, all files
created under it subsequently receive the group ID of that
directory. When the group ID bit is not set, files are created with
the group ID of the creating process/user.
The users could also just 'chgrp' to 'group1' or 'group2', before hand,
also, but it's hard to enfore that unless you turn off the Supplemental
Group feature in the kernel.
-sw
John DuBois
That solves the ownership issue. For the permissions, you do need to change
the users' umasks, and yes, this does affect the creation of all files
regardless of directory. There isn't any straightforward solution. If you
don't have too many users, you could make each user's login group be a group
specific to that user.
John
--
John DuBois spc...@armory.com. KC6QKZ http://www.armory.com./~spcecdt/
Bill Vermillion
Nash Computer Technology <nas...@btinternet.com> wrote:
>I'm fairly new to Unix, and I'm trying to work out how to achieve the
>following:
>I've created two directories, say:
> /data/master
> /data/master/sub1
> /data/master/sub2
>I would like to give access to the "sub1" directory to members of the
>"group1" group, and access to "sub2" to members of "group2".
>chgrp -R group1 sub1
>chgrp -R group2 sub2
>chmod -R g+rw sub1
>chmod -R g+rw sub2
>This seems to work fine, until a user creates a new file in one
>of the subdirectories. The "user" of the new file is set to that
>user's login name, and the "group" of the file is set that user's
>main group ("group" in this case). Not to mention that the group,
>"group" only gets "Read" access and not "Read/Write".
>Is there a way to force access rights for new files created within a
>directory?
A few questions first. When you say access - do you mean no
access to anyone except by members of each group - including
read-only access. In that case you probably need to change
the 'other' permission, so that the last flags are always ---
Another poster mentioned SGID. Does the executing program which
these users run have any special requirements - does it use SUID or
SGID for it's own purposes? Many programs do.
If these files/directories in questions are just part of a users
normal access, you cuold perhaps write a small script for users in each
group that executes a private copy of the program with the SGID
set, and also have the users umask set, or just sets the users mask
and changes group. If this is all the users access then set all
this in their .profile.
One more question. Are these the only two groups of users on the
system? If so you might be able to try a truly counter-intuitive
approach.
In this example assume that the groups are A and B and that
all users will belong to either of these groups.
For files that you wish users in group A to access - change the
group ownership of that group to B - and remove all permissions for
anyone in that group.
eg: the file permissions for group A to write would look like this:
-rw----rw- root B 4876 Jan 11 21:22 somefile.txt
Since permissions are evaluated left to right and the first match
stops the search, if anyone in group B were to try to access that
file/directory then they would be denied as group be has no rights
at all and the search would go no further but anyone who was
NOT in group B would have access.
IOW access by 'other' will give anyone else access, but B will be
denied by group permissions. As I said it is counter-intuitive as
you would think that if you had a file that anyone could access then
B should be able to access it also.
Directory permission settings - as opposed to the way file
permission settings - don't have to have read permission set on the
directory. If the application or user knows what files are in the
directory they only have to have write and execute permission on
that directory. Denying read permissions means only that they won't
be able to list the files in that directory. They will still be able
to access the files if they know the file names and can create files
and directories.
That fits in the 'security by obscurity' mold.
As with anything in comptuers - how it fits in the overall picture
is what determines your approach.
--
Bill Vermillion bv @ wjv.com
Steve Wertz
> Another poster mentioned SGID. Does the executing program which
> these users run have any special requirements - does it use SUID or
> SGID for it's own purposes? Many programs do.
I was referring to the SGID bit of a directory itself, like so:
# id
uid=0(root) gid=0(root) groups=0(root),1(other),3(sys)
# mkdir /tmp/foo
# chgrp uucp /tmp/foo
# chmod g+s /tmp/foo
# l -d /tmp/foo
drwxr-sr-x 2 root uucp 512 Jan 20 14:26 /tmp/foo
# touch /tmp/foo/foo
# l /tmp/foo/foo
-rw-r--r-- 1 root uucp 0 Jan 20 14:26 /tmp/foo/foo
It's rarely used IMHO, but comes in handy since the introduction of
Supplemental Groups. This combined with a proper login-umask should
fix most circumstances.
-sw