assign permissions
 

hi guys

I had 10 users and 3 linux servers
they are normal users

I need to assign read access to these 1o users to /opt /var /usr

how can I accomplish that without going user by user?


any idea?

should this command work? well for me is not working

chmod -R o+r /var

after that user cannot access /var anymore

Ensure that your users belong to the same group.

If you don't have a regular users group create one:

Add all your regular users to the group
grant open access to directories:
grant read acess to the rest of the files:
Be careful on changing the permissions on /usr and /var and /opt
Do that at your own risk.

<edit>
changed an error -type d to -type f on the files section
</edit>

I think the command is


chmod -R o+r *

so I need to be in the folder /var before

You're going to need the 'x' perm on the dirs as well; it means search/access on a dir, not 'execute' http://linux.die.net/man/1/chmod

You will be changing others permissions so you will be giving read access to everyone.


Also by only adding +r to all files you are not giving read access to directories.

Was there something in my reply that you didn't understand???

PS:
If you are going to ignore the answers that are given to you why do you come here?

really sorry I posted without updating the post so I never saw your answer

so it's going to be

and this

Am I right?

Why could be risky to add read access to /var and /usr?


I was thinking I needed to specify the group name somewhere

It's a little difficult to swallow that since your reply was posted 18 minutes after mine. Anyway everybody deserves the benefit of the doubt.

You are exactly right.

PS: Your users may also already belong to a group, so check the groups and their users in /etc/groups

I didn't noticed this line.
Changing file permissions on system files it's something that you should be careful. Some programs depend on specific file permissions, and do not function properly (or at all) if you change the permissions.

got your point but I was working and let the windows opened when I did some test about chmod and posted after posting found your answer.

well so far

I got users like this some they below to their own group
so I need to create a new group


I get this error

Can I add the new group as a secondary group?

sorry my bad.

it's gpasswd -a user group


On unix when in doubt use:

The last option that you suggested is also valid.
in Unix there's usually several ways of doing something.

An alternative way is to edit the /etc/groups directly

ammorais thanks a lot for your help and the other guys

BTW ammorais yes it's not a good practice AT ALL for instance in /usr/ we got some APPs that could not word If I assign read to ALL

thanks a lot

I am going to check this request to be completely sure

by the way guys

I am thinking about this
for instance I have a directory which owner is root:root

is there any way like in windows 2003 to assign another group (which includes my 10 users) and give to that group read permissions?

basically I wanna know if a directory can be manage by different groups.

This is because during this journey I got a directory which owner was something different that root so I used (apache_group)

but I cannot do that the same when a owner of a directory is root

that's a Big NO NO

any idea?

I totality forgot that you must assign the directory's group.

Answering your question.
In Unix each file can only have one user and one group.

What you want is Access Control List. Have a look here to see how to work with it.

Also I suggest you have a look at Role-based access control implementations. Currently they are supported by grsecurity and SELinux.

thanks a lot for all that info

I think I am going to have some to thing this weekend :rolleyes:

You're welcome.

Good luck.

ammorais

2 more questions if you have some time

I was checking the ACL and founf this in order to have it working

for example if it were / instead of home of the other I told /var /usr
doing that mount will impact users or applications? I mean do I have to schedule a downtime for that mount command

second

even using this granularity permission strategy (ACL) would still risky to assign read permissions to those folders???

sorry for this I am pretty newbie

thinking this over

it is the same I mean adding normal R permissions or using setfacl.... so I either need to read about Role-based access control or explain to my customer why changing to R it's no a good idea at all

Think about this; normally, the default perms on /var, /opt are correct. Think about what you are trying to accomplish, do you really need to mess with them?

If you want an area where people can share files, then the usual approach is

1. create newuser, newgrp
2. create the home dir for newuser, newgroup
3. chmod g+s newgrp newdir
4. add newgrp to reqd users as a 2ndary group

If(!) you need to go into even more fine-grained ctrl, then add ACLs to the above.
Note that the

mount -o remount,acl /newdir

can be done on the fly, ie no reboot reqd. See also tune2fs eg

tune2fs -l |grep options

will show if acls are already turned on.
http://linux.die.net/man/8/tune2fs

HTH

Why exactly would you want to mess with /var, /opt?

thanks for the info

just a question what do you mean by chmod I mean that does the s mean

yeah just a customer who is asking that and I already told him but needs more info why this can not be done

basically I need the path where they want to have read access
so I have to check them and see what I can do

thanks a lot

chmod g+s newgrp newdir

add sgid (set group id) of newdir 'permissions' to newgrp; basically forces all files created therein to have group ownership of newgrp, regardless of creator's grpid.
http://linux.die.net/man/1/chmod

eg
rwxrwx--- becomes rwxrws---

HTH