0
/opt/software
/home/user1/file
/home/user2/file
  1. user1 can rwx to /home/user1/file
  2. user2 can rwx to /home/user2/file
  3. softwarecan rwx to both /home/user1/file and /home/user2/file
  4. user1 can't rwx to /home/user2/file
  5. user2 can't rwx to /home/user1/file

How to achieve this set up?

Khaled
  • 36,533
  • 8
  • 72
  • 99
ispirto
  • 89
  • 1
  • 1
  • 9
  • Who should run software? user1 and user2 or it is a daemon that works under special user? – rush Dec 26 '11 at 11:40

1 Answers1

5

Sounds like the best way to achieve what you are trying to do, is with ACL.

ext3 and ext4 both support that, but it needs to be enabled to work.

To display not only what I did, but also the file structure of my test, I pasted it all. I am using RHEL 6.2 for my test.

Create the needed users

root # useradd -d /opt/software/ software    
root # useradd user1
root # useradd user2

Create the 'file' in both users' homes. Set group permissions on it - ACL needs that, although, the group can be the user's own.

root # touch /home/user1/file && touch /home/user2/file
root # chmod 770 /home/user1/file /home/user2/file 

root # chown user1:user1 /home/user1/file 
root # chown user2:user2 /home/user2/file

Set the ACL. -m = modify. u = user. software = the user name. rwx = the permissions. 

root # setfacl -m u:software:rwx /home/user1/file 
root # setfacl -m u:software:rwx /home/user2/file

Get the ACL to check that it is correct.

root # getfacl /home/user1/file 
getfacl: Removing leading '/' from absolute path names
# file: home/user1/file
# owner: user1
# group: user1
user::rwx
user:software:rwx
group::rwx
mask::rwx
other::---

Make the executable file do something useful.

root # echo "echo horse" > /home/user1/file 
root # echo "echo horse" > /home/user2/file

Set ACL on the user's home directory

root # setfacl -m u:software:rx /home/user1
root # setfacl -m u:software:rx /home/user2

And again, make sure the group has the permissions required.

root # chmod 750 /home/user1 /home/user2

Time for testing!

root # su - software
-bash-4.1$ /home/user1/file 
hest
-bash-4.1$ vi /home/user1/file 
-bash-4.1$ /home/user1/file 
hest
moo
-bash-4.1$ logout

root # su - user1

[user1@tutsrv01 ~]$ /home/user2/file
-bash: /home/user2/file: Permission denied

A little about ACL

To work, the group must have at least the same permissions as the ACL entries will have. If you make a rwx ACL entry, but the unix permission group entry is only rw, then the effective permission of the ACL will be limited to rw.

Frands Hansen
  • 4,657
  • 1
  • 17
  • 29
  • Great. But it won't work in case software runs under user1 and user2. It will work only in case software works under its own user. – rush Dec 26 '11 at 14:13
  • That's true. I do assume that the software runs as a third user in my answer. – Frands Hansen Dec 26 '11 at 14:26