File group permissions - applicable to a particular group user only possible??

File group permissions - applicable to a particular group user only possible??

Post by dej.. » Fri, 21 Apr 2000 04:00:00



Hi!
Is it possible to control file
attributes at user level among a
group in Unix system ?

        Eg:  Usr1, Usr2 and Usr3 are the users in a group  GRP.
        Usr1 is the owner of a file record.doc
        Is it possible for Usr1 to set  write permission for
        the file record.doc only to usr2 and not usr3 ???

I know that generally you would require Usr3 to then belong to another
group; is there any other way around this??

TIA,
Kiwi.

Sent via Deja.com http://www.deja.com/
Before you buy.

 
 
 

File group permissions - applicable to a particular group user only possible??

Post by Joe Durusa » Fri, 21 Apr 2000 04:00:00


        It's probably dependant on your system.  In Solaris,
you can work lots of tricks using the acl facility.  It is usually best
to specify OS and version, since there are lots of possible answers
to a given question.

Speaking only for myself,

Joe Durusau


> Hi!
> Is it possible to control file
> attributes at user level among a
> group in Unix system ?

>         Eg:  Usr1, Usr2 and Usr3 are the users in a group  GRP.
>         Usr1 is the owner of a file record.doc
>         Is it possible for Usr1 to set  write permission for
>         the file record.doc only to usr2 and not usr3 ???

> I know that generally you would require Usr3 to then belong to another
> group; is there any other way around this??

> TIA,
> Kiwi.

> Sent via Deja.com http://www.deja.com/
> Before you buy.


 
 
 

File group permissions - applicable to a particular group user only possible??

Post by pe.. » Sat, 22 Apr 2000 04:00:00



> Hi!
> Is it possible to control file
> attributes at user level among a
> group in Unix system ?
>    Eg:  Usr1, Usr2 and Usr3 are the users in a group  GRP.
>    Usr1 is the owner of a file record.doc
>    Is it possible for Usr1 to set  write permission for
>         the file record.doc only to usr2 and not usr3 ???

Yes. Have the file permissions set to rwxrwx--- and let the group
GRP be the files group.

One little thing that might disturb this, some older sysV derived
systems has a default behaviour that a user belongs to a single
froup at a time. This is configurable, "initgroups" os one of the
commands that makes th euser belonging to ALL groups at the same time.
This is also a POSIX demand that a user could be member of several
groups at the same time.

BSD does the right thing here, which is where POSIX got the idea.

Quote:> I know that generally you would require Usr3 to then belong to another
> group; is there any other way around this??
> TIA,
> Kiwi.
> Sent via Deja.com http://www.deja.com/
> Before you buy.

--
--
Peter H?kanson        
        Manet Networking      (At the Riverside of Gothenburg, home of Volvo)
           Sorry about my e-mail address, but i'm trying to keep spam out.

 
 
 

File group permissions - applicable to a particular group user only possible??

Post by Matthew C Weig » Sat, 22 Apr 2000 04:00:00




>> Hi!
>> Is it possible to control file
>> attributes at user level among a
>> group in Unix system ?

Not with base permissions.  A single file can have a single owner and a
single group, and permissions can only be based on those two plus universal
access.  You'll need a different file system for that.

Quote:>>        Eg:  Usr1, Usr2 and Usr3 are the users in a group  GRP.
>>        Usr1 is the owner of a file record.doc
>>        Is it possible for Usr1 to set  write permission for
>>         the file record.doc only to usr2 and not usr3 ???
>Yes. Have the file permissions set to rwxrwx--- and let the group
>GRP be the files group.

No.  Usr[123] are *all* in GRP.  If you set permissions to rwxrwx--- and
group GRP then everyone in GRP has rwx access.

One solution is for each user to be in their own group, and have the ability
to add other users to that group (and only that group).  So then record.doc
would have Usr1 as owner and group, and Usr2 would be added to group Usr1.
But that might give Usr2 access to *other* things he shouldn't have.

Quote:>One little thing that might disturb this, some older sysV derived
>systems has a default behaviour that a user belongs to a single
>froup at a time. This is configurable, "initgroups" os one of the
>commands that makes th euser belonging to ALL groups at the same time.
>This is also a POSIX demand that a user could be member of several
>groups at the same time.

>BSD does the right thing here, which is where POSIX got the idea.
>> I know that generally you would require Usr3 to then belong to another
>> group; is there any other way around this??

No, it would require Usr[12] to be in another group together, with the
file's group equal to that group.  UNIX does not handle fine-grained access
control well, as it's inherently quite trusting (which is fine for most
things outside the DoD :).
--
 Matthew Weigel
 Programmer/Sysadmin/Student

 
 
 

File group permissions - applicable to a particular group user only possible??

Post by pe.. » Sat, 22 Apr 2000 04:00:00





>>> Hi!
>>> Is it possible to control file
>>> attributes at user level among a
>>> group in Unix system ?
> Not with base permissions.  A single file can have a single owner and a
> single group, and permissions can only be based on those two plus universal
> access.  You'll need a different file system for that.

Yes, Yes and Yes, it's perfectly doable!!

Read any manpage about access, or, even better set it up and try!

Quote:>>>    Eg:  Usr1, Usr2 and Usr3 are the users in a group  GRP.
>>>    Usr1 is the owner of a file record.doc
>>>    Is it possible for Usr1 to set  write permission for
>>>         the file record.doc only to usr2 and not usr3 ???
>>Yes. Have the file permissions set to rwxrwx--- and let the group
>>GRP be the files group.
> No.  Usr[123] are *all* in GRP.  If you set permissions to rwxrwx--- and
> group GRP then everyone in GRP has rwx access.

Read my posting, that is the intention. The point is that only
Usr1, Usr2 and Usr3 are members of GRP.

Quote:> One solution is for each user to be in their own group, and have the ability
> to add other users to that group (and only that group).  So then record.doc
> would have Usr1 as owner and group, and Usr2 would be added to group Usr1.
> But that might give Usr2 access to *other* things he shouldn't have.

Not if you take in account that any use can be member of several non-related
groups AT THE SAME TIME. And as a user uoy can change a files group ownership
with "chgrp" at any time. It's the file owner that may change group for a file.

Quote:>>One little thing that might disturb this, some older sysV derived
>>systems has a default behaviour that a user belongs to a single
>>froup at a time. This is configurable, "initgroups" os one of the
>>commands that makes th euser belonging to ALL groups at the same time.
>>This is also a POSIX demand that a user could be member of several
>>groups at the same time.

>>BSD does the right thing here, which is where POSIX got the idea.
>>> I know that generally you would require Usr3 to then belong to another
>>> group; is there any other way around this??
> No, it would require Usr[12] to be in another group together, with the
> file's group equal to that group.  UNIX does not handle fine-grained access
> control well, as it's inherently quite trusting (which is fine for most
> things outside the DoD :).

Unix does indeed handle this. Go back and try this at home!

> --
>  Matthew Weigel
>  Programmer/Sysadmin/Student


--
--
Peter H?kanson        
        Manet Networking      (At the Riverside of Gothenburg, home of Volvo)
           Sorry about my e-mail address, but i'm trying to keep spam out.

 
 
 

File group permissions - applicable to a particular group user only possible??

Post by Matthew C Weig » Sat, 22 Apr 2000 04:00:00






>>>> Hi!
>>>> Is it possible to control file
>>>> attributes at user level among a
>>>> group in Unix system ?

>> Not with base permissions.  A single file can have a single owner and a
>> single group, and permissions can only be based on those two plus
>> universal access.  You'll need a different file system for that.

>Yes, Yes and Yes, it's perfectly doable!!

Sorry.  Can you explain, slowly for a dense head, how exactly you propose to
handle per-user access control, without having a seperate group for every
possible permutation of users?

That is, given this 'ls -l record.dat' output,

-rwxrwx---   1 Usr1   GRP         xxxxx Apr 20 17:59 record.dat

this in /etc/group

GRP::10003:Usr1,Usr2,Usr3

how do you propose you restrict Usr3's acces to record.dat?

Quote:>Read any manpage about access, or, even better set it up and try!

I'm typing this from a system using AFS, and I'm really too lazy to go
looking for the non-AFS access(1) man page.  AFS, of course, handles quite
fine-grained access easily.

Quote:>>>>        Eg:  Usr1, Usr2 and Usr3 are the users in a group  GRP.
>>>>        Usr1 is the owner of a file record.doc
>>>>        Is it possible for Usr1 to set  write permission for
>>>>         the file record.doc only to usr2 and not usr3 ???
>>>Yes. Have the file permissions set to rwxrwx--- and let the group
>>>GRP be the files group.

>> No.  Usr[123] are *all* in GRP.  If you set permissions to rwxrwx--- and
>> group GRP then everyone in GRP has rwx access.

>Read my posting, that is the intention. The point is that only
>Usr1, Usr2 and Usr3 are members of GRP.

Yeah, but the original poster was clear that Usr3 was *not* to have access.
If Usr3 is a member of GRP, and GRP is the group for record.doc, then Usr3
has all the permissions of anyone else in GRP.

If I'm being dense then correct my samples above.

Quote:>> One solution is for each user to be in their own group, and have the
>> ability to add other users to that group (and only that group).  So then
>> record.doc would have Usr1 as owner and group, and Usr2 would be added to
>> group Usr1.  But that might give Usr2 access to *other* things he
>> shouldn't have.

>Not if you take in account that any use can be member of several
>non-related groups AT THE SAME TIME. And as a user uoy can change a files
>group ownership with "chgrp" at any time. It's the file owner that may
>change group for a file.

Yes, I know that users can be in several groups.  Perhaps I'm not seeing
something (and I keep repeating that because I'm going into finals week and
I haven't slept since Wednesday morning), but how does being in several
groups let you restrict access to only *some* of the people in a group?

Quote:>>>> I know that generally you would require Usr3 to then belong to another
>>>> group; is there any other way around this??

>> No, it would require Usr[12] to be in another group together, with the
>> file's group equal to that group.  UNIX does not handle fine-grained access
>> control well, as it's inherently quite trusting (which is fine for most
>> things outside the DoD :).
>Unix does indeed handle this. Go back and try this at home!

Would you mind giving a simple example of how, without creating a new group,
I can arbitrarily set a file to be writable by some random subset of users
on a system?  Would you mind giving me an example of how I can give
'modify but don't create or delete' access to some users, 'modify or create
but don't delete' access to others, 'total control' to a few more, and 'read
only' to everyone else, with standard UNIX filesystems?  That's what I meant
by fine-grained access.

I'd really like to see where you're coming from with all of this, so please
don't take any of this as a flame.
--
 Matthew Weigel
 Programmer/Sysadmin/Student

 
 
 

File group permissions - applicable to a particular group user only possible??

Post by pe.. » Sat, 22 Apr 2000 04:00:00







>>>>> Hi!
>>>>> Is it possible to control file
>>>>> attributes at user level among a
>>>>> group in Unix system ?

>>> Not with base permissions.  A single file can have a single owner and a
>>> single group, and permissions can only be based on those two plus
>>> universal access.  You'll need a different file system for that.

>>Yes, Yes and Yes, it's perfectly doable!!
> Sorry.  Can you explain, slowly for a dense head, how exactly you propose to
> handle per-user access control, without having a seperate group for every
> possible permutation of users?

Ok. You will need a separate group for each resource needing separate
sharing (but you've got 2^31 such groups to select among).

The file in question(or files) that needs sharing across differnt users
is assigned a group. Let's create an entry in /etc/group

GRP:*:12345:

(we use the supposed free number 12345 heer)

Now we make the 3 users members of that group

/etc/group:
GRP:*:12345:Usr1,Usr2,Usr3

And make the shared resource "owned" by this group :
chgrp GRP file

And then we change file access permissions for the file to
be rwx for the owner and group :
chmod 0770 file

Now, any acces to this file will be honored by the usual access
restrictions that unix have used since the 80's :
If process asking for operation is owner , Ok (rwx)
if not, is the process member of group "GRP", Ok, (rwx)
if not has anyone else access (---) No. Access denied.

Ant THAT wast the mission, allow Usr1, Usr2 and Usr3 to share a resource
without letting anyone else. (in this case one of the users is
"the owner", but that does not make any difference)

Quote:> That is, given this 'ls -l record.dat' output,
> -rwxrwx---   1 Usr1   GRP         xxxxx Apr 20 17:59 record.dat
> this in /etc/group
> GRP::10003:Usr1,Usr2,Usr3
> how do you propose you restrict Usr3's acces to record.dat?

Usr3 should have access.
---Ahhhh, now i just read the last sentence again and see
" and NOT giving Usr3 write permission"   Whoops. I just started
a flame and did not read all the facts.  Sorry.

Well, here is a place where ACL comes in. Or, maybe a SetUid
program that is made sensitive on which userid that is allowed
to operate on a file.

Once again, sorry, i missed the "not" below.

Anyway, i hope that thisi thread did spread some light for
casual readers !

Regards

Peter h (did another mistake, well, living is sometimes a mistake)

- Show quoted text -

>>Read any manpage about access, or, even better set it up and try!
> I'm typing this from a system using AFS, and I'm really too lazy to go
> looking for the non-AFS access(1) man page.  AFS, of course, handles quite
> fine-grained access easily.
>>>>>    Eg:  Usr1, Usr2 and Usr3 are the users in a group  GRP.
>>>>>    Usr1 is the owner of a file record.doc
>>>>>    Is it possible for Usr1 to set  write permission for
>>>>>         the file record.doc only to usr2 and not usr3 ???
>>>>Yes. Have the file permissions set to rwxrwx--- and let the group
>>>>GRP be the files group.

>>> No.  Usr[123] are *all* in GRP.  If you set permissions to rwxrwx--- and
>>> group GRP then everyone in GRP has rwx access.

>>Read my posting, that is the intention. The point is that only
>>Usr1, Usr2 and Usr3 are members of GRP.
> Yeah, but the original poster was clear that Usr3 was *not* to have access.
> If Usr3 is a member of GRP, and GRP is the group for record.doc, then Usr3
> has all the permissions of anyone else in GRP.
> If I'm being dense then correct my samples above.
>>> One solution is for each user to be in their own group, and have the
>>> ability to add other users to that group (and only that group).  So then
>>> record.doc would have Usr1 as owner and group, and Usr2 would be added to
>>> group Usr1.  But that might give Usr2 access to *other* things he
>>> shouldn't have.

>>Not if you take in account that any use can be member of several
>>non-related groups AT THE SAME TIME. And as a user uoy can change a files
>>group ownership with "chgrp" at any time. It's the file owner that may
>>change group for a file.
> Yes, I know that users can be in several groups.  Perhaps I'm not seeing
> something (and I keep repeating that because I'm going into finals week and
> I haven't slept since Wednesday morning), but how does being in several
> groups let you restrict access to only *some* of the people in a group?
>>>>> I know that generally you would require Usr3 to then belong to another
>>>>> group; is there any other way around this??

>>> No, it would require Usr[12] to be in another group together, with the
>>> file's group equal to that group.  UNIX does not handle fine-grained access
>>> control well, as it's inherently quite trusting (which is fine for most
>>> things outside the DoD :).
>>Unix does indeed handle this. Go back and try this at home!
> Would you mind giving a simple example of how, without creating a new group,
> I can arbitrarily set a file to be writable by some random subset of users
> on a system?  Would you mind giving me an example of how I can give
> 'modify but don't create or delete' access to some users, 'modify or create
> but don't delete' access to others, 'total control' to a few more, and 'read
> only' to everyone else, with standard UNIX filesystems?  That's what I meant
> by fine-grained access.
> I'd really like to see where you're coming from with all of this, so please
> don't take any of this as a flame.
> --
>  Matthew Weigel
>  Programmer/Sysadmin/Student


--
--
Peter H?kanson        
        Manet Networking      (At the Riverside of Gothenburg, home of Volvo)
           Sorry about my e-mail address, but i'm trying to keep spam out.

 
 
 

File group permissions - applicable to a particular group user only possible??

Post by Matthew C Weig » Sat, 22 Apr 2000 04:00:00



>Ok. You will need a separate group for each resource needing separate
>sharing (but you've got 2^31 such groups to select among).

Well, depending on the system... :)  But then, what if you're dealing with
70,000 users (the system from which I'm posting this has that many users)?
Then you have to have 70,000*69,999 different two-person groups, and oops!
That's more than 2^32, but we're limited to 2^31 groups.  And we haven't
even looked at groups of more than 2 people...

Quote:>> That is, given this 'ls -l record.dat' output,

>> -rwxrwx---   1 Usr1   GRP         xxxxx Apr 20 17:59 record.dat

>> this in /etc/group

>> GRP::10003:Usr1,Usr2,Usr3

>> how do you propose you restrict Usr3's acces to record.dat?
>Usr3 should have access.
>---Ahhhh, now i just read the last sentence again and see
>" and NOT giving Usr3 write permission"   Whoops. I just started
>a flame and did not read all the facts.  Sorry.

No problem.  Only a few hours ago I interjected a German sentence into a
French essay, so...
--
 Matthew Weigel
 Programmer/Sysadmin/Student

 
 
 

1. cannot set up UMASK or groups so that users from one group cannot access other groups

Hi

First let me describe what I would like to set up to clarify things:

Scenario:

I would like to set up 3 groups, lets call them A, B, C. Users from A should
have access files created by users in B or C. Users in B or C cannot access
files created by users in A. Also users in B or C should not have access to
each others files.

How would I set up Umask to handle this? I've tried to create a primary
group for all and secondary groups to reflect the permissions I'm after, but
to no avail.

Any ideas?

Many thanks in advance.

Jon

2. TNT2 problems

3. user and group management - how to emulate groups into groups in linux ?

4. DHCP on NetBSD 1.5.1

5. Is Possible to Make Nest Group in the /etc/group file?

6. workqueue.c subtle fix and core extraction

7. GURUS: user has two groups - new files inherit group from current dir - HOW?

8. Problem spawning multiple telnet (getting errno=19 ENODEV)

9. LOCAL (TX): Announcing Linux Users Group in Midland/Odessa Texas (Permian Basin Linux Users Group)

10. Is it possible to make groups of groups in HP-UX 9.0x

11. permissions & group members of groups with Sol 2.6

12. grouping a group to a group?

13. Keeping groups, groups and groups straight