Very Computer

> > I want files in directoy /data must be read/executable by all users
> > say usr3 usr4 etc in group1,

> There is no umask value that will allow a user, root or other,
> to create a file that is executable at birth, so to speak.
> Usr1 and usr2 will have to

>    chmod o+rx [ file ]

> in order to satisfy this requirement, unless the files are
> already executable and no more files will be created in this
> directory (which is, of course, unlikely).

> > but can be created,modified,deleted only
> > by usr1 and usr2 who are only members of group group2.

> Creation and deletion are attributes of directories, not files,
> so if usr1 and usr2 are the only members of group2, having /data
> owned group-wise by group2 satisfies this requirement.

> > Both users usr1 and usr2 must be able to modify each other's files
> > in this directory.

> If usr1 and usr2 are the only users in group2, then just set the
> SGID bit on the directory -- which ensures that all files created
> in the directory are owned by the group-wise owner of the directory --
> make group2 the group-wise owner of the directory, and make sure their
> umask is set to 002, which gives the group write permission for
> new files.

> > No other users can delete these files.

> If they're not a members of group2, and group2 is the group-wise
> owner of /data, then they sure *won't* be able to create or delete
> files in this directory.

> > Currently whenever usr1 or usr2 creates new file their permission are
> > rw-r--r-- as per  umask.

> See above.  With a umask of 0, files are created with rw-rw-rw-,
> directories with rwxrwxrwx.

> > please let me know better possible solution. Also correct me where
> > ever I am wrong in following.

> If what I wrote above does not suggest to you that I misunderstood
> the problem, there's no need for you to read any further.  Still,
> there's more.  

> > 1.I will chmod 1766  /data  (having root as owner, group2 as group)
> > 2.I will acledit /data as following

> > attributes:attributes:
> > base permissions
> >    owner(root):   rwx
> >    group(other):  r-x
> >    others:        r-x
> > extended permissions
> >    enabled
> >    permit   rwx   u:usr1
> >    permit   rwx   u:usr2
> > 3. I will acledit files (sample.usr1 and sample.usr2)within this owned
> > by usr1 and usr2 respectively. Following is for usr1 ,vice verse for
> > usr2  also.
> > base permissions
> >    owner(usr1):   rw-
> >    group(other):  r--
> >    others:        r--
> > extended permissions
> >    enabled
> >    permit   rw-     u:usr2
> > 4.Whenever usr1, usr2 create new file. each will run following command
> > for file.
> > $ aclget sample.usr1 | aclput filename.usr1
> > or
> > $ aclget sample.usr2 | aclput filename.usr2

> > Now My questions:

> > a. Do I need sticky bit(1) in chmod 1766 for directory permission for
> > above said requirement?

> You only use the sticky bit in the case where a directory
> is world-writable, which means that anyone can create a
> file in it, but you only want the following users to be
> able to delete any given file: the owner of the file,
> the owner of the directory, or root.

> > b. Is there any way usr1 can modify usr2's file but can not delete it
> > and vice verse.

> Here's the rub: only directory permissions determine whether
> you can delete a file.  So your question is whether you can
> have directory permissions apply on a per-file basis.  I'm not
> fresh on the capabilities of ACLs, so take this with a grain
> of salt: you're asking the impossible of most or all current
> UNIXoid operating systems.

> > d. Whom must I keep owner of /data root, or usr1 or usr2 or some other
> > solution.

> See way, way above.  The owner of the directory is not as important
> here as the group-wise owner, who it appears must be group2.  It
> is just fine to leave root as the owner of the directory.

> > c. Is this solution seems OK or I there is some other best solution
> > for my problem.

> It seems needlessly complicated.

> My question, in the end, is this: if only usr1 and usr2 are to be
> able to unlink files from this directory, why don't you just make
> the directory writable by that group, and set the SGID bit on thei
> irectory so all files in that directory are owned group-wise by the
> group of usr1 and usr2?

> If you don't want other users to be able to remove files, the fact
> that they won't own the files and won't be in the group that owns
> the directory group-wise means that they won't be able to delete them.

> Problem solved?

> Regards,

> Nicholas

> > I want files in directoy /data must be read/executable by all users
> > say usr3 usr4 etc in group1,

> There is no umask value that will allow a user, root or other,
> to create a file that is executable at birth, so to speak.
> Usr1 and usr2 will have to

>    chmod o+rx [ file ]

> in order to satisfy this requirement, unless the files are
> already executable and no more files will be created in this
> directory (which is, of course, unlikely).

> > but can be created,modified,deleted only
> > by usr1 and usr2 who are only members of group group2.

> Creation and deletion are attributes of directories, not files,
> so if usr1 and usr2 are the only members of group2, having /data
> owned group-wise by group2 satisfies this requirement.

> > Both users usr1 and usr2 must be able to modify each other's files
> > in this directory.

> If usr1 and usr2 are the only users in group2, then just set the
> SGID bit on the directory -- which ensures that all files created
> in the directory are owned by the group-wise owner of the directory --
> make group2 the group-wise owner of the directory, and make sure their
> umask is set to 002, which gives the group write permission for
> new files.

> > No other users can delete these files.

> If they're not a members of group2, and group2 is the group-wise
> owner of /data, then they sure *won't* be able to create or delete
> files in this directory.

> > Currently whenever usr1 or usr2 creates new file their permission are
> > rw-r--r-- as per  umask.

> See above.  With a umask of 0, files are created with rw-rw-rw-,
> directories with rwxrwxrwx.

> > please let me know better possible solution. Also correct me where
> > ever I am wrong in following.

> If what I wrote above does not suggest to you that I misunderstood
> the problem, there's no need for you to read any further.  Still,
> there's more.  

> > 1.I will chmod 1766  /data  (having root as owner, group2 as group)
> > 2.I will acledit /data as following

> > attributes:attributes:
> > base permissions
> >    owner(root):   rwx
> >    group(other):  r-x
> >    others:        r-x
> > extended permissions
> >    enabled
> >    permit   rwx   u:usr1
> >    permit   rwx   u:usr2
> > 3. I will acledit files (sample.usr1 and sample.usr2)within this owned
> > by usr1 and usr2 respectively. Following is for usr1 ,vice verse for
> > usr2  also.
> > base permissions
> >    owner(usr1):   rw-
> >    group(other):  r--
> >    others:        r--
> > extended permissions
> >    enabled
> >    permit   rw-     u:usr2
> > 4.Whenever usr1, usr2 create new file. each will run following command
> > for file.
> > $ aclget sample.usr1 | aclput filename.usr1
> > or
> > $ aclget sample.usr2 | aclput filename.usr2

> > Now My questions:

> > a. Do I need sticky bit(1) in chmod 1766 for directory permission for
> > above said requirement?

> You only use the sticky bit in the case where a directory
> is world-writable, which means that anyone can create a
> file in it, but you only want the following users to be
> able to delete any given file: the owner of the file,
> the owner of the directory, or root.

> > b. Is there any way usr1 can modify usr2's file but can not delete it
> > and vice verse.

> Here's the rub: only directory permissions determine whether
> you can delete a file.  So your question is whether you can
> have directory permissions apply on a per-file basis.  I'm not
> fresh on the capabilities of ACLs, so take this with a grain
> of salt: you're asking the impossible of most or all current
> UNIXoid operating systems.

> > d. Whom must I keep owner of /data root, or usr1 or usr2 or some other
> > solution.

> See way, way above.  The owner of the directory is not as important
> here as the group-wise owner, who it appears must be group2.  It
> is just fine to leave root as the owner of the directory.

> > c. Is this solution seems OK or I there is some other best solution
> > for my problem.

> It seems needlessly complicated.

> My question, in the end, is this: if only usr1 and usr2 are to be
> able to unlink files from this directory, why don't you just make
> the directory writable by that group, and set the SGID bit on thei
> irectory so all files in that directory are owned group-wise by the
> group of usr1 and usr2?

> If you don't want other users to be able to remove files, the fact
> that they won't own the files and won't be in the group that owns
> the directory group-wise means that they won't be able to delete them.

> Problem solved?

> Regards,

> Nicholas