assign permissions

kopper27 · 11-12-2009, 04:02 PM

hi guys

I had 10 users and 3 linux servers
they are normal users

I need to assign read access to these 1o users to /opt /var /usr

how can I accomplish that without going user by user?

any idea?

should this command work? well for me is not working

chmod -R o+r /var

after that user cannot access /var anymore

ammorais · 11-12-2009, 05:16 PM

Ensure that your users belong to the same group.

If you don't have a regular users group create one:

Code:

groupadd users

Add all your regular users to the group

Code:

gpasswd -a users username1
gpasswd -a users username2
...

grant open access to directories:

Code:

find /directory -type d -exec chmod g+xr-w {} \;
you can also revogue access to the rest:
find /directory -type d -exec chmod o-xrw {} \;

grant read acess to the rest of the files:

Code:

find /directory -type f -exec chmod g+r {} \;
you can also revogue access to the rest:
find /directory -type f -exec chmod o-rwx {} \;

Be careful on changing the permissions on /usr and /var and /opt
Do that at your own risk.

<edit>
changed an error -type d to -type f on the files section
</edit>

kopper27 · 11-12-2009, 05:34 PM

I think the command is

chmod -R o+r *

so I need to be in the folder /var before

chrism01 · 11-12-2009, 05:38 PM

You're going to need the 'x' perm on the dirs as well; it means search/access on a dir, not 'execute' http://linux.die.net/man/1/chmod

ammorais · 11-12-2009, 05:39 PM

Quote:

Originally Posted by kopper27

I think the command is

chmod -R o+r *

so I need to be in the folder /var before

You will be changing others permissions so you will be giving read access to everyone.

Also by only adding +r to all files you are not giving read access to directories.

Was there something in my reply that you didn't understand???

PS:

Quote:

I think the command is ...

If you are going to ignore the answers that are given to you why do you come here?

kopper27 · 11-12-2009, 05:50 PM

really sorry I posted without updating the post so I never saw your answer

so it's going to be

Code:

groupadd normalreaduser

Code:

gpasswd -a normalreaduser user1
gpasswd -a normalreaduser user2
gpasswd -a normalreaduser user3
...

and this

Code:

find /var -type d -exec chmod g+xr-w {} \;

find /var -type f -exec chmod g+r {} \;

Am I right?

Why could be risky to add read access to /var and /usr?

I was thinking I needed to specify the group name somewhere

ammorais · 11-12-2009, 05:55 PM

Quote:

sorry I posted without updating the post so I never saw your answer

It's a little difficult to swallow that since your reply was posted 18 minutes after mine. Anyway everybody deserves the benefit of the doubt.

Quote:

Am I right?

I was thinking I needed to specify the group name somewhere

You are exactly right.

PS: Your users may also already belong to a group, so check the groups and their users in /etc/groups

ammorais · 11-12-2009, 06:04 PM

Quote:

Why could be risky to add read access to /var and /usr?

I didn't noticed this line.
Changing file permissions on system files it's something that you should be careful. Some programs depend on specific file permissions, and do not function properly (or at all) if you change the permissions.

kopper27 · 11-12-2009, 08:57 PM

got your point but I was working and let the windows opened when I did some test about chmod and posted after posting found your answer.

well so far

I got users like this some they below to their own group
so I need to create a new group

Code:

uid=508(lorenzo) gid=508(lorenzo) groups=508(lorenzo)
uid=508(roberto) gid=508(roberto) groups=508(roberto)

I get this error

Code:

[root@node02 ~]# groupadd testgroup
[root@node02 ~]# gpasswd -a testgroup user1
gpasswd: unknown user testgroup

Can I add the new group as a secondary group?

Code:

[root@node02 ~]# usermod -a -G testgroup user1

ammorais · 11-12-2009, 09:21 PM

sorry my bad.

it's gpasswd -a user group

On unix when in doubt use:

Code:

command --help
or
man command

The last option that you suggested is also valid.
in Unix there's usually several ways of doing something.

An alternative way is to edit the /etc/groups directly

glinuxo · 11-13-2009, 10:20 AM

ammorais thanks a lot for your help and the other guys

BTW ammorais yes it's not a good practice AT ALL for instance in /usr/ we got some APPs that could not word If I assign read to ALL

thanks a lot

I am going to check this request to be completely sure

kopper27 · 11-13-2009, 02:39 PM

by the way guys

I am thinking about this
for instance I have a directory which owner is root:root

is there any way like in windows 2003 to assign another group (which includes my 10 users) and give to that group read permissions?

basically I wanna know if a directory can be manage by different groups.

This is because during this journey I got a directory which owner was something different that root so I used (apache_group)

Code:

usermod -a -G apache_group user1

but I cannot do that the same when a owner of a directory is root

Code:

usermod -a -G root user1

that's a Big NO NO

any idea?

ammorais · 11-13-2009, 04:08 PM

I totality forgot that you must assign the directory's group.

Code:

chgrp users /directory

Answering your question.
In Unix each file can only have one user and one group.

What you want is Access Control List. Have a look here to see how to work with it.

Also I suggest you have a look at Role-based access control implementations. Currently they are supported by grsecurity and SELinux.

kopper27 · 11-13-2009, 04:16 PM

Quote:

Originally Posted by ammorais

I totality forgot that you must assign the directory's group.

Code:

chgrp users /directory

Answering your question.
In Unix each file can only have one user and one group.

What you want is Access Control List. Have a look here to see how to work with it.

Also I suggest you have a look at Role-based access control implementations. Currently they are supported by grsecurity and SELinux.

thanks a lot for all that info

I think I am going to have some to thing this weekend

ammorais · 11-13-2009, 04:34 PM

Quote:

Originally Posted by kopper27

thanks a lot for all that info

I think I am going to have some to thing this weekend

You're welcome.

Good luck.