Link Rights

Cottsay · 03-21-2006, 05:05 PM

Is it possible to make a link to a file and give it different rights than the original file? Really all that I wanna do is let another user get read access to a file, when the file owner/group must stay at root:root, and the rights at nothing for others...

Thanks,

Scott K Logan
CottsayNet
logans@cottsay.net

gilead · 03-21-2006, 05:34 PM

Not as far as I know. The name of the file is just a pointer to its contents. If you create a hard link and change its permissions the file gets the updated permissions. Therefore, each link shows the updated permissions.

If you create a symlink, the permissions of the symlink are ignored and the permissions on the actual file are used.

ntubski · 03-21-2006, 06:45 PM

I think to do what you want you will need access control lists. Otherwise you would have to make a new group with read access and add that user to it.

wipe · 03-21-2006, 08:04 PM

One way is to use sudo, if you only need to read or write using a specific program.

Putting the following into /etc/sudoers would allow reading fstab using less:

joeschmoe ALL = NOPASSWD: /usr/bin/less /etc/fstab

User joeschmoe would type sudo less /etc/fstab to read it with full root privileges. You could use this to allow copying a file, for example. Admittedly, sudoing is a bit hackish way of doing access control.

Simon

Cottsay · 03-23-2006, 02:43 PM

Alright, great. Thanks. Is there a way to allow PHP to access fstab using its apache:apache rights but keeping root:root rights on fstab?

Thanks

Scott

gilead · 03-23-2006, 03:28 PM

I have the following permissions on my fstab file, which are enough for the apache user to read the file:

Code:

$ ls -l /etc/fstab 
-rw-r--r-- 1 root root 814 2006-02-14 12:45 /etc/fstab

Read rights are all an application should need and those are given by the 'o' as in 'ugo' of the 3 permission groups. What did you need to do to the fstab file?

Cottsay · 03-23-2006, 03:50 PM

how about write to it?

nevelis · 03-23-2006, 04:41 PM

Hmmm.. Might not be wise to allow access to apache... You could chmod it (ie: chmod a+rw /etc/fstab) to allow anyone to write to it, or you could create another group called admin, for example, and add the user www-data to it (the default Apache username), then do "chmod g+rw /etc/fstab"

Cheers,
Aaron

PS: Still, be careful. Any buggy or unchecked forms in your PHP code could allow an exploit. Why do you want to write to the fstab from PHP anyway??

Cottsay · 03-23-2006, 05:31 PM

not fstab specifically - thats just the example used earlier in the thread. There must be a way to do this...right now i'm stuck with a ssh command with rsa keys to root and I don't like that. I just want to create a way to have a file:

-rwxrwx--- root:root /this_file

accessable to apache:apache without changing the rights at all...is there any way?

Thanks much!

nevelis · 03-23-2006, 09:25 PM

You could add the user www-data to the root group. Then do:

Code:

cd /whatever/folder/
chmod -R 770 ./

Cheers,
Aaron

Cottsay · 03-25-2006, 12:27 AM

It doesn't work like that...you configure user rights and group rights in the httpd.conf file...reguardless of the user's primary group. I was trying to avoid giving Apache root group rights...I think that the sudo thing is going to work fine though...thanks everyone!

Scott K Logan
CottsayNet
logans@cottsay.net