Hey Everyone,

I am trying to "secure" some files inside a directory. Essentially what i want to do is to have a person (user) be the administrator of a certain group and allow him to change permissions and ownerships. (Needless to say that I don't want this person to have "root" or "admin" privileges.

More specifically say that I have a directory called "example"

TheUser@MyPc:/home> ls -l | grep example
drwxrwxr-x 31 TheUser users 4096 2007-08-13 12:11 example

Notice that "example" can be written by anyone in the "users" group.

Now lets say that "user1" creates the file "file.user1" and
places it inside "example". Let us further assume that "user1" doesn't have a clue about permissions and we end up with something like this:

$TheUser@MyPc:/home> ls -l example | grep file
-rwxrwxr-x 32 user1 users 4096 2007-08-13 12:11 file.user1
-rwxrwxr-x 33 user2 users 4096 2007-08-13 12:21 file.user2


Of course I don't want either user to mess up with other users files but I would also like for "TheUser" to be able to change the permissions of all the files so that not even "user1" is able to modify the contents of "file.user1".


So far what I have done is

1.- Set the sticky bit on "example"

TheUser@MyPc:/home> chmod 1775 example && ls -l | grep example
drwxrwxr-t 31 TheUser users 4096 2007-08-13 12:11 example


(No messing around with other files)


2.- Making copies of the files to be changed (that takes care of the ownerships); change the permissions of the backup files and then overwriting the original files.

TheUser@MyPc:/home> cd example && cp file.user1 file.user1.bak && chmod 555 file.user1.bak && mv file.user1.bak file.user1 && ls -l | grep file
-r-xr-xr-x 32 TheUser users 4096 2007-08-13 12:51 file.user1
-rwxrwxr-x 33 user2 users 4096 2007-08-13 12:21 file.user2


Notice that this does the trick however I think it is very inefficient, especially when dealing with folders and subfolders.

Does anybody know about a better way to implement this?

Thank you very much in advance.

Edit. I thought I had the total solution but I was wrong. Below is a partial solution.

This is what you want to do. First set the ownership of the example directory to TheUser:users.
Then set the sticky bit for the group that owns the directory.
The 4 in the above permission string will force all files created in the example directory to be owned by the users group.

You may not need the sticky bit on the "others" permissions. I'm not sure.

Next you want your user accounts to have their umask set to 740. This next line of code has to go into a login script like /etc/profile.

Thanks. I will try your way. It does make sense to me and I am sure it will save me from implementing a recursive script.

Regards,