hello:

I find that only root has permissions to run programs like mount.
So I created a group called admin. I want to enable another entity besides root to run programs like mount. how do i assign group permissions to executable programs?

thanx

groupadd, chgrp, and chmod are the commands you need here.

chgrp <groupname> <file> changes the group ownership of a file to whatever group you selected. The group has to exist for this to work. You can add a group with the groupadd program.

chmod is a bit more complex.

There are basic four three bit numbers involved. For now, we will skip the first number. The second number is owner permissions, second is group permissions, third is everyone else.

So, lets break it down. The three bits stand for read, write, and exec.
read = 100 (binary) or 4 (decimal)
write = 010 (binary) or 2 (decimal)
execute = 001 (binary) or 1 (decimal)
Permission can be added together. 6 would be read and write but not execute. 7 would be read write and execute, ect.

So, say we have the mount program for example.
chmod 0550 /sbin/mount
This gives read and execute privileges to the owner of the file (root) and the group designated to the file (in your case admin). It also gives no rights to other users.

Now... that still isn't enough in the case of programs like mount. Mount always has to be executed as root because of the nature of what it does... That is where the first 3-bit number in 0550 comes into play.

The first number is also a 3 bit number, but the bits stand for different things then read, write and execute.
set uid on exec = 100 (binary), 4 (decimal)
set gid on exec = 010 (binary), 2 (decimal)
sticky bit = 001 (binary), 1 (decimal)

The one we really care about here is the set uid on exec. What this means is no matter who executes the program (providing they have exec privileges) it gets run as if the owner of the file ran it.

So, the actual command you would want for mount is:
chmod 4550 /sbin/mount
This assumes your mount program is located in /sbin. If not... change the line accordingly.

To summarize...
groupadd admin
chgrp admin /sbin/mount
chmod 1550 /sbin/mount

This should allow any user in the group admin to run mount.

For more info
man groupadd
man chgrp
man chown
man chmod

thank you for that nice reply. I will try it this evening.
while we are in the subject can teh files be owned by multiple groups or only one group is allowed ownership?

thanx

Just out of curiosity, were you having a problem mounting something specific?

I ask because I started doing what you're doing here and then realized it wasn't a problem with permission to run mount, rather permissing to mount specific devices. When I installed 10.0, the default fstab didn't give permission for users to mount my CD/DVD drive, so I had to edit that file, and all was well.

Just mentioning it because of your mentioning mount. Not knowing what the specific issue was, I thought the solution might be less complex than creating new users and setting a permission policy.

actually I had a querious set of problems. It mounted one of my filesystems with user/group id of 500. Then I had to switch to root to reset the permissions.

The other problem I had was I installed a student version of matlab which required you to have the cd in drive for it to run. in suse teh cd was mounted as /media/dvdrecorder and /dev/dvdrecorder. for matlab to work i had to mount the same device on /cdrom.
another curious thing was even though in /etc/fstab the entry was /dev/dvdrecorder, I foudn that the true devie /dev/hdc. I could not figure how /dev/hdc was mapped to /dev/dvdrecorder.


so it goes.....