How to have specific user-permissions for a group of files?

ajaygarg · 08-14-2012, 01:12 AM

Hi all.

I am wanting to have a situation, wherein only a particular user can read-only/write-only/read-write to a group of files.

So, what would be the best way to go about this? Two broad alternatives come to my mind ::

a)
Specifying rules in the already existing configuration files (I could google the details of the files, but let's not delve into the details for the moment).

b)
Write (Code), and load a Loadable-Kernel-Module (LKM), that hacks on the syscall -table, and does all the checking/processing there.

What would you suggest

?

Looking forward to ideas.

Thanks and Regards,
Ajay

Wim Sturkenboom · 08-14-2012, 01:35 AM

I guess you mean to say user A can read, user B can write and user C can do both?

You might be able to do it with normal permissions (not sure if rw--w-r-- will exactly achieve what you need). And else you can look at ACLs.

I further think that you need to elaborate a bit. I might have missed something but what kind of configuration files are you talking about? This would imply permissions via some specific application and not necessary at file system level.

ajaygarg · 08-14-2012, 01:52 AM

Thanks Wim for the reply.

Ok, so here is my exact usecase ::

I want just one user/process to be allowed to read a group of files. This user is not necessarily the root.

So, if the "other" is a user, a maximum of two users - one "root" (by definition), and the "other" user (by some configuration) would be able to read the specific group of files.

If the "other" is a process, only the "root" user (by definition), and the "other" process (by some configuration), would be able to read the specific group of files.

So, yes, a generic "rw--w-r--" wouldn't help

Also, I was mainly talking about "/etc/sudoers", where (I think) there are provisions to set user/process-specific permissions (please correct me if I am wrong).

So,
what would be your suggestion now

For brevity, please note that the "root" (the superuser) would have the permissions to alter the "rules". This is as expected for the superuser.

Thanks and Regards,
Ajay

jschiwal · 08-14-2012, 02:21 AM

You can do that setting the owner to the user who can write to the file and a group that can only read. The permissions would be u=rw,g=r,o= or 0640. If you want more users or groups to be able to access the file with different permissions, then look at using ACLs. You uses setfacl to set acls and getfacl to read them. The file system needs to be mounted with the `acl' option, and the file system needs to be a native Linux file system that supports them.

You can even use acls with a cifs mount from another Linux samba server.

ajaygarg · 08-14-2012, 03:01 AM

Thanks jschiwal for the reply.

Hmm.. I had a first look at Linux-ACLs tutorial; and it seemed good. It provides the finest control possible, when only users/groups are involved.

Wim, jschiwal,
What would you suggest, when such fine grained control is needed on a per-process basis? Does anything similar exist, or I will have to go for a KLM?

Thanks Wim and jschiwal.

Thanks and Regards,
Ajay