Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've been trying to figure out if this is possible or not, and how to implement it?
I have a Source folder with files A, B and C.
I want to create a Limited Access Folder with only access to files A and B but not C. I don't want to duplicate the data.
I was thinking of a Symbolic link, and maybe adding permissions for a user to only see files A and B and not C?
The problem is, that I want to use a service account to access the two folders, Source and Limited and so then it'll have access to all the files anyway, so that wouldn't work?
Hope that makes sense, and someone may have a suggestion? Thanks
A link’s permissions are not relevant. links “inherit” the permissions of the file being linked to.
Whatever you set the ownership of the original file(s) to will be reflected in the link(s)
If you don’t want the limited user to see file C, just don’t create a link to file C in the limited folder...
A link’s permissions are not relevant. links “inherit” the permissions of the file being linked to.
Whatever you set the ownership of the original file(s) to will be reflected in the link(s)
If you don’t want the limited user to see file C, just don’t create a link to file C in the limited folder...
Yep, that's what I thought. So I'm wondering if there's a way to implement this scenario?
Just in case file C must exist in the second folder but not be accessible, explore bind mounts. You bind mount the source directory to the destination, and if I am not wrong, you can apply your own permissions on the destination.
If you can keep all the required folders in a same file system (any ext? or xfs will do), you can then create hard links to files (thus not duplicating them) and assign different ownerships and permissions.
Code:
mkdir -p /tmp/source /tmp/alice /tmp/bob
date > /tmp/source/file
ln /tmp/source/file /tmp/alice/file
chown alice /tmp/alice/file
chmod 700 /tmp/alice/file
ln /tmp/source/file /tmp/bob/file
chown bob /tmp/bob/file
chmod 400 /tmp/bob/file
ls -il /tmp/source/file /tmp/alice/file /tmp/bob/file
If you can keep all the required folders in a same file system (any ext? or xfs will do), you can then create hard links to files (thus not duplicating them) and assign different ownerships and permissions.
As hardlinks link to the I-node itself and ownership and/or permissions are stored IN that I-node, when you change either of them they will be changed for BOTH of the links.
So in fact creating a hard link and then changing ownership or permissions works out as being the same as changing those for the original file.
There is only a single ownership/group and/or permissions field IN the I-node, the hard link is just "an extra filename" for that I-node/file.
So this might seem counterintuitive but it will work regardless of where the file resides or links to it or the directory in which it resides.
First set the ownership of the file to that of the user you want to have no access to it and the group ownership to that of the group you do want to have access to it. Then set the permissions to 076 ---rwxrw- which says that the owner can not read, write or execute the file and that the group can do all three. Anyone else (Other) can read and write the file.
Apologies, I either didn't read this properly or only saw the Frist part in the email and replied quickly without reading the rest...but that seems so obvious now! Thanks for showing me what was in front of my eyes all along!
Basically, I need to come up with a script that only creates links to file that I want in the other location 👌
Apologies, I either didn't read this properly or only saw the Frist part in the email and replied quickly without reading the rest...but that seems so obvious now! Thanks for showing me what was in front of my eyes all along!
Basically, I need to come up with a script that only creates links to file that I want in the other location 👌
No worries. "Forest for the trees," as they say.
If you want, you can mark the thread SOLVED using the thread tools at the top of the page.
Keep in mind that anyone who sees the links in that "Limited Access" folder can simply go to the target directory and see all the files. There is no way to make a file or directory accessible only via a symlink. If the link resolver can follow the path, so can the user. You can make that directory "sort of" private by not giving the user "read" permission on the directory. That will prevent listing the contents of the directory, but any known (or guessed) file name can still be accessed.
The other users are my kids, I think I have a few more years before they figure out how to access a computer...and they don't have access to the server anyway, only via Plex (which is the other account I'm talking about, using Docker).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.