0

Apologies if this is the incorrect forum.

I am looking for a solution to a problem as follows:

We have protected information on our system with global read/execute access (555) owned by a user in group A, allowing users in groups A,B,C etc. access. This system has worked effectively for many years.

I would now however like to add a new group to the network, group X where group X will not be able to read/execute according to the file permissions. Please can you suggest a solution?

My initial thoughts were to modify each user's cd command but \cd will overcome that hurdle, additionally this will not affect the GUI environment.

Edit: I have been reading about ACLs and I have touched on them in the past. As all of the data is on a separate partition I could activate ACL for the partition e.g.

LABEL=/home             /home                   ext3    rw,acl          1 2

and then modify ACL permissions at the highest level. Will this then bypass the original global permission? Is this a viable option?

Thanks.

Thorsley
  • 103
  • 3

2 Answers2

1

Having a blacklist on a file that is world-readable is not a safe approach. Consider what happens if a user is created lacking that group by accident? Instead, it's best to assign permissions additively. You could do this by adding a new group that is inclusive of all the users that need access, or by using facls to assign permissions to each group.

Adding the 'users1' group to have read/write/execute permissions on a directory:

setfacl -m g:users1:rwx <directory name>

To automatically assign these same permissions to newly created files/directories inside that directory, add the -d option:

setfacl -d -m g:users1:rwx <directory name>

Use getfacl to check your work.

I would suggest reading through SETFACL(1) and GETFACL(1) by using man setfacl and man getfacl.

In addition, you will need to remount your root partition in a way that supports ACLs:

mount -o remount,acl /

And modify /etc/fstab to include the acl option on reboot, for example:

/dev/xvda       /              ext3     noatime,errors=remount-ro,acl 0       1
Kyle Smith
  • 9,683
  • 1
  • 31
  • 32
  • Thanks for the response, I think I was editing the post whilst you commented, producing very similar "solutions". I'll have a read and think. – Thorsley Jul 19 '13 at 12:20
0

When you set a file's permissions to 555, you give permissions to three things:

  • The first 5 is the permissions given to the user owner of the file.
  • The second 5 is the permissions given to the group owner of the file.
  • The third 5 is the permissions given to everybody else.

5 indeed stands for read and execute permission, so if you want to give read and execute permissions to the user and the group that owns the file, but no permission to others, you can set the file permissions to 550

Note: you mentioned modifying the cd command, I guess you want to forbid people from going into a folder with cd. To do this you simply remove execute permission on the folder.

This is a really simple approach, I don't know how precisely you want to grant permissions, if you need more than simply modify the permissions given to the owner user / owner group / everybody else, you might indeed want to use ACL.

Dettorer
  • 156
  • 5