Oddball permissions scenario

chickenminnie · 06-18-2018, 09:41 AM

I have a home volume with fifty or so home directories in it which each corresponding user can write to as you would expect. I need to give one user (DATA) the ability to write to each of these directories; would this best be accomplished by giving DATA its own group and allowing DATA's group write access to these folders? Am I over-thinking this?

Thanks,

M

Turbocapitalist · 06-18-2018, 10:14 AM

If you want to stay out of the way of the regular users' use of the directoris then ACLs are probably the best way even if they are a bit confusing.

Otherwise you can use the group permissions.

jlinkels · 06-18-2018, 07:33 PM

Quote:

Originally Posted by chickenminnie

I have a home volume with fifty or so home directories in it which each corresponding user can write to as you would expect. I need to give one user (DATA) the ability to write to each of these directories; would this best be accomplished by giving DATA its own group and

You are not overthinking this and basically it is correct. You would need to set the group ownership of all home directories to data. And then, make all directories group writable.

You can create a new user data, belonging to the data group. He will have write access to all home directories. You don't need to create that user data, you can add any user to the data group.

A slight problem is that ordinary users do not belong to the data group. If they would, everyone would have wrote access to all home directories. But if they are not member of the data group the newly created files do not have group ownership by data and cannot be written by the data group.

In order to make sure every file created in that directory has data groupid, you should set the sticky bit on the user's directory.

Code:

chmod g+s /home/myuser

jlinkels

AwesomeMachine · 06-18-2018, 09:58 PM

I thought home directories had to be owned by the user.

scasey · 06-18-2018, 10:17 PM

A couple of thoughts here:
First, should all files be group writable by DATA?...or only those files DATA writes?
If the latter, I disagree with jlinkels...don't set the sticky bit for group DATA...
Otherwise, their advice looks sound...
But...
How will the "ordinary user" be able to read files created by the DATA user? Do they even need to?
or...more to the point...
What exactly are you trying to accomplish? [This is known as the "Tim D. Memorial Question" where I came from.

]

Why does the user DATA need to write to other user's directories ?

Quote:

Originally Posted by AwesomeMachine

I thought home directories had to be owned by the user.

I don't see that anyone is proposing a change in the ownership of the user's home directories...

jlinkels · 06-19-2018, 04:27 AM

The user directories and files remain owned by the user. Group is set to data. Directories and files must be group writable.

jlinkels

chickenminnie · 06-19-2018, 08:04 AM

This is exactly what I was trying to accomplish, thank you.

Quote:

Originally Posted by jlinkels

The user directories and files remain owned by the user. Group is set to data. Directories and files must be group writable.

jlinkels

This box acts as a file hub of sorts for a bunch of ETL processes and one of our remote technicians discovered that he could traverse the directories in /home which isn't a good idea.

Thanks everyone!

AwesomeMachine · 06-19-2018, 08:08 AM

Quote:

Originally Posted by jlinkels

You would need to set the group ownership of all home directories to data. And then, make all directories group writable.

You can create a new user data, belonging to the data group. A slight problem is that ordinary users do not belong to the data group. If they would, everyone would have wrote access to all home directories.

So, that means ownership would need to be user:group where 'user' is not a member of 'group'? Can you do that?

jlinkels · 06-19-2018, 11:54 AM

Quote:

Originally Posted by AwesomeMachine

So, that means ownership would need to be user:group where 'user' is not a member of 'group'? Can you do that?

Yes, that is perfectly possible. Look at this example. gemerenciana is not member of the adm group. Still she is able to create files which belong to the adm group. The next problem is that she has a umask of 022. Which should be changed to 002 if files must be group writable. The setgid only makes the group ownership stick.

The idea behind this is that a user co-operating to a project would make his files group writable. Either automatically by changing the umask. Or on purpose to give his group members access.

If you realize how Unix was designed, for which purpose and that the world was not as evil as it is now, it makes perfect sense.

Directory:

Code:

drwxrwsr-x 2 gemerenciana adm   4096 Jun 19 16:43 gemerenciana

Create a file

Code:

gemerenciana@homeservII:/tmp/gemerenciana$ touch weg2
gemerenciana@homeservII:/tmp/gemerenciana$ ll
total 0
-rw-r--r-- 1 gemerenciana adm 0 Jun 19 16:43 weg
-rw-r--r-- 1 gemerenciana adm 0 Jun 19 16:45 weg2

Group membership:

Code:

gemerenciana@homeservII:/tmp/gemerenciana$ groups
users audio scanner family lspec gemerenciana

Owner changes the group permissions while she is not member of that group:

Code:

gemerenciana@homeservII:/tmp/gemerenciana$ chmod g+w weg*
gemerenciana@homeservII:/tmp/gemerenciana$ ll
total 0
-rw-rw-r-- 1 gemerenciana adm 0 Jun 19 16:43 weg
-rw-rw-r-- 1 gemerenciana adm 0 Jun 19 16:45 weg2

jlinkels