tuananhbirm

[Log in to get rid of this advertisement]

Hi,

Please forgive me if the question is too theoretical.

A team is working in a project, all member should have read access to all files, but only one member could modify a particular file at a time, and that member could transfer the permission (to modify) to other member.


How can i use the Access Control List and the protection bits (by chmod) to statisfy the above requirement ??

Many thanks.
Anh

jschiwal

What kind of ACL are we talking about here? This sounds more like something you would use revision control for.

Giving a group read access to a file is easy, but changing the ownership of a file requires root access.
So does changing the acl list with setfacl.

Using RCS or another revision control system, the person checking out a file will lock it while they are editing to prevent two people from modifying the file at the same time. This would allow any other member of a group to subsequently edit the file.

Your idea sounds more like some kind of token scheme.

Some other revision control systems have a hierarchy of users, such that when the file gets to the editor, the user(s) who previously created the file no longer have access. This would be a system used in a publishing house.

tuananhbirm

I know the best solution would be CVS or something like that, but as i said, this question is more theoretical (actually one of my coursework question )

What concerns me more is how to ensure only 1 member could modify a file at a given time.


Cheers.
Anh

jschiwal

I can't think of a way of doing it that doesn't require root access. Only the root user is allowed to change the ownership on a file. Allowing a group to read a file implies the file is owned by the group with r-- attributes. Allowing one member of a group to write the file implies ownership.

You can give another user read/write access to a file you own with "setfacl -m user:sally:rw"
Now user sally can write to the file and make changes.
However, you will still have write access. Even if you don't have write permission, being the owner of the file, you can change that if you wanted to , or in vim, just add a '!' character after the "w" command to write to the read-only file.

While sally, and yourself are the only members of the group who can modify the file, sally cannot use the setfacl command on the file. The best she could do is make a copy of the file and use the "setfacl" command to give the next member write access. Now this receipient and sally are the only users who can modify the file.

This assumes that the file is located in a writable directory with the sticky bit set. Otherwise, a user with write access to the file can always use the ":wq!" command in vim, which deletes the old file and replaces it with a new file with the users default permissions. Using "cp" and "rm" can be used to do the same thing.

The closest that I can think of is for a file to be owned by person. For demonstrations purposes let's say it is owned by root.
# touch sample
# chown root:root sample
# setfacl group:authors:r
# setfacl user:sally:rw
# cp -p sample /tmp/

Now sally can edit the file. Members of the "authors" group can read it and not edit it. The sticky bit on the /tmp directory prevents deletion, so a member that can read it can't replace it.

However, root needs to change the file acl to allow the next user to edit it.

This doesn't fit your theoretical problem exactly. Linux does not allow transferring ownership of a file (only root can do that), and only the file's owner can change the file's acl.

However, an identical file owned by the next owner can be copied from sally's file. However the owner of the file is the next group member, and nothing can prevent him from doing this at any time if he has read access, but he can't replace the old one in a sticky directory.


[code]
sidebar:
A couple interesting things I found out myself. You need to use the "-p" option with the "cp" command to also copy the ACL. The "mv" command doesn't have this option.
[code]