LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices



Reply
 
Search this Thread
Old 04-15-2006, 09:14 PM   #1
tuananhbirm
Member
 
Registered: Apr 2004
Posts: 40

Rep: Reputation: 15
Using access control list


Hi,

Please forgive me if the question is too theoretical.

A team is working in a project, all member should have read access to all files, but only one member could modify a particular file at a time, and that member could transfer the permission (to modify) to other member.


How can i use the Access Control List and the protection bits (by chmod) to statisfy the above requirement ??

Many thanks.
Anh
 
Old 04-15-2006, 09:28 PM   #2
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
What kind of ACL are we talking about here? This sounds more like something you would use revision control for.

Giving a group read access to a file is easy, but changing the ownership of a file requires root access.
So does changing the acl list with setfacl.

Using RCS or another revision control system, the person checking out a file will lock it while they are editing to prevent two people from modifying the file at the same time. This would allow any other member of a group to subsequently edit the file.

Your idea sounds more like some kind of token scheme.

Some other revision control systems have a hierarchy of users, such that when the file gets to the editor, the user(s) who previously created the file no longer have access. This would be a system used in a publishing house.

Last edited by jschiwal; 04-15-2006 at 11:14 PM.
 
Old 04-15-2006, 09:34 PM   #3
tuananhbirm
Member
 
Registered: Apr 2004
Posts: 40

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by jschiwal
What kind of ACL are we talking about here? This sounds more like something you would use revision control for.

I know the best solution would be CVS or something like that, but as i said, this question is more theoretical (actually one of my coursework question )

What concerns me more is how to ensure only 1 member could modify a file at a given time.


Cheers.
Anh
 
Old 04-17-2006, 01:33 AM   #4
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
I can't think of a way of doing it that doesn't require root access. Only the root user is allowed to change the ownership on a file. Allowing a group to read a file implies the file is owned by the group with r-- attributes. Allowing one member of a group to write the file implies ownership.

You can give another user read/write access to a file you own with "setfacl -m user:sally:rw"
Now user sally can write to the file and make changes.
However, you will still have write access. Even if you don't have write permission, being the owner of the file, you can change that if you wanted to , or in vim, just add a '!' character after the "w" command to write to the read-only file.

While sally, and yourself are the only members of the group who can modify the file, sally cannot use the setfacl command on the file. The best she could do is make a copy of the file and use the "setfacl" command to give the next member write access. Now this receipient and sally are the only users who can modify the file.

This assumes that the file is located in a writable directory with the sticky bit set. Otherwise, a user with write access to the file can always use the ":wq!" command in vim, which deletes the old file and replaces it with a new file with the users default permissions. Using "cp" and "rm" can be used to do the same thing.

The closest that I can think of is for a file to be owned by person. For demonstrations purposes let's say it is owned by root.
# touch sample
# chown root:root sample
# setfacl group:authors:r
# setfacl user:sally:rw
# cp -p sample /tmp/

Now sally can edit the file. Members of the "authors" group can read it and not edit it. The sticky bit on the /tmp directory prevents deletion, so a member that can read it can't replace it.

However, root needs to change the file acl to allow the next user to edit it.

This doesn't fit your theoretical problem exactly. Linux does not allow transferring ownership of a file (only root can do that), and only the file's owner can change the file's acl.

However, an identical file owned by the next owner can be copied from sally's file. However the owner of the file is the next group member, and nothing can prevent him from doing this at any time if he has read access, but he can't replace the old one in a sticky directory.


[code]
sidebar:
A couple interesting things I found out myself. You need to use the "-p" option with the "cp" command to also copy the ACL. The "mv" command doesn't have this option.
[code]
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: ACL(Access Control List) Configuration in Debian LXer Syndicated Linux News 0 04-01-2006 12:12 AM
Access control limiting antidelldude Fedora 0 08-21-2005 12:34 PM
Apache access control apt Programming 4 12-07-2004 12:09 AM
user access control Risc91 AIX 11 06-17-2004 06:12 AM
win2k Printer Access control list problem zepplin611 General 0 01-30-2004 12:09 AM


All times are GMT -5. The time now is 05:15 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration