Hello,

I have a set up where I am trying to create a hierarchy of user groups. That is to say, there are developers and project managers etc. project managers can access all the files developers can access and some that developers cannot. For this, I have two groups, devel and projman. A project manager belongs to both the groups but his primary group is projman.

Now my question is simple. Is there a way for a project manager to access files that are accessible only by the devel group, without having to switch between his projman and devel groups? What I mean is, how do I let my project manager to use the credentials of both his group memberships simultaneously? I'm hoping there's a simple solution to this that I haven't been able to find.

credentials of groups? what are you talking about?? is this an application you're logged into? You talk about file access, but your other comments don't relate at all to how you would use files directly on a filesystem.

Maybe you just want ext3 acls??

@acid_kewpie - perhaps credentials was the wrong word to use. What I mean is that since a project manager belongs to two groups, I want him to be able to access files available to either of the group, without having to change his primary group.

So, for instance, if there are 2 files on my system:

-rwxrwx--- admin devel file1.cpp
-rwxrwx--- admin projman file2.cpp

Project Manager belongs to both devel and projman groups. Can he access both files, without changing his "current group"* from devel to projman or vice-versa?

.....

As it turns out, it works. Not sure why it didn't yesterday. Anyhow, I hope the question is clearer now, even if I still look like an idiot


Thanks!

therefore he can access both files.

I have used group-based access controls on a number of servers, and I can recommend it. There are a couple of points to note:

• Set umask to 0002 for all users.
  This ensures the files they create will by default be both readable and writable by their group.
  The best place to do this is in the shell startup files in /etc/, so the setting is universal (for all users with non-system uids, i.e. uid > some-number).
• Set the setgid bit, g=rwxs for all directories.
  When the setgid bit is set, all files and all subdirectories created in that directory will inherit the group from the directory. (Normally, the primary group of the user is used.)
  Also, subdirectories will inherit both the group and the setgid bit.
• NFSv3 will only handle the first 15 (if I remember correctly) supplementary groups for each user.
  This means that if a project manager is involved in a lot of groups, they'll encounter problems if using NFSv3 shares. You can fix those problems either by using NFSv4, or by teaching the managers to use a simple tool that will change their supplementary group memberships based on directories they specify. (That is, they don't need to know which groups they want in the supplementary list, only which directories they want to access next/at the same time, and the tool will modify the supplementary group list accordingly.)

No worries!

Like I said, I've used this extensively. One thing I've found exceedingly useful is that since all accesses are determined based on the group membership, you can use the owner information to track the user who "owns" the files. This is especially useful when monitoring changes to files that are not in a repository. Most useful use case thus far has been tracking web page edits when there is a often-changing group of web administrators.

If the users use nano, vi,or emacs to edit the files directly, you can use a wrapper that locks the file and edits a newly created copy, to avoid errors from simultaneous edits, and to ensure the file owner always tells who edited the file last.

If you have any questions, or have use cases (or complex situations), feel free to PM me; I'd be very happy to discuss some of the techniques and details and solutions either here, in another thread, or privately.