LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Permissions on enterprise manyuser system... (https://www.linuxquestions.org/questions/linux-newbie-8/permissions-on-enterprise-manyuser-system-852794/)

/dev/me 12-28-2010 07:18 AM

Permissions on enterprise manyuser system...
 
I work in a Windows world, and I am encountering many situations where several groups of people need read-only access to certain files or directories and other groups need write access to them, while still world permission is set to none.

But I've so far only used Linux on my own personal machines, so this was never an issue. But now I'm working towards a many-user system, and I shamefully having to admit I have no idea how to do this on Linux.

I tried googeling, but it appears to me the owner-group-world permission /is/ the system to use.

So how do you give write access to a selection of user groups and read-only permission to another set of user groups? The owner-group-world system isn't flexible enough for this (as far as I can tell) and ... eh ... I was thinking perhaps with SELinux or something? (as a Slackware user I'm not really confident with SELinux)

jv2112 12-28-2010 07:56 AM

man chown

man chmod

/dev/me 12-28-2010 08:31 AM

Yes, thank, I'm familiar with chmod and chown and for that matter, man

But that doesn't quite explain to me how to embed different groups into a permission system, or figure a way around it.


For example, I have a directory called /finance

I want the managers and auditors to be able to read in that directory, and the beancounters and IT staff to write in that directory. The rest of the organisation cannot access that directory.

In Windows, I set different groups on the directory:
DR_FINANCE_RO => gets read permission
DR_FINANCE_RW => gets write permission

Now I add the managers and auditors to DR_FINANCE_RO
And the beancounters and IT staff to DR_FINANCE_RW

But I want to replicate this functionality on Linux.


So my question really is more of a matter of how do I set several groups on a direcotry structure. I know about chmod g+s, not about how to set more than one group permission on a directory?

jschiwal 12-28-2010 08:46 AM

You can use acls. If you don't have the setfacl program, you may need to install the acl package. Also, add "acl" to the mount options in /etc/fstab.

See the examples at the end of the setfacl manpage. They are easier to understand.

You will need to add individual users to the groups, instead of adding groups.

kforbus 12-28-2010 08:47 AM

Sounds like you're wanting to use ACL's. I would recommend reading up on linux filesystem ACL's and maybe the man pages for setfacl and getfacl. And if I remember correctly, you'll also need to have support for this enabled in your kernel and you'll need to add the acl option to your /etc/fstab.

/dev/me 12-28-2010 09:12 AM

Hey! This looks hopeful! Thanks very much :D


I understood correctly it is not possible to embed groups into groups as you do in Windows, right?

Such as: user john is a member of the group auditors and the group auditors is member of the groups DR_FINANCE_RO, DR_AUDIT_RW, DR_WHATEVER_RW and APP_OFFICE_RUN

So that if sarah becomes auditor, I only have to add her to auditors(group) and she gets all of the above automagically?

Not that it's necessary, just wondering then what the best way to handle it is? For example, I want all auditors to get DR_FOO_RO also, I'd need to pick all auditors manually and add them to the group manually?

kforbus 12-28-2010 09:08 PM

I'm not aware of any way to add a group to a group in Linux. You should, however, be able to write a shell script to help you with adding all the users from one group to another. That way your effort can be put into writing a script once that you can use over and over with minor edits instead of moving users between groups by hand. I'm not really sure how many users you're dealing with, though. But if it's a lot, I wouldn't even think of adding them all to a group manually. Alternatively, if your Linux boxes authenticate with a central directory server like Active Directory, you could just do the group manipulation there and call it a day.


All times are GMT -5. The time now is 07:22 PM.