On 01/26/2017 01:34 PM, Wols Lists wrote:
On 26/01/17 17:26, Daniel Bauer wrote:
Hi,
I'll give access to my computers to another person with her own new user.
I see, that this user can see many or most of my files (read only), but I want that she can only see her own files.
How can I achieve that? Do I have to change all the rights of my files? How do I do that safely (without causing problems to programs etc.)? How do I achieve that new files automatically are readable only by me (and root)?
This is a simple groups problem. Most systems have a group called "users", and they default to either (a) all users belong to the "users" group, or all users belong to the "username" group (ie a user called "daniel" will belong to a group called "daniel". Your system defaults to putting all users in "users".
In this situation, let's assume your new user is called "sally". Create a group "sally", and put her in that deleting her from the group "users". Now she will only be able to see her files, not yours. This isn't the best solution, but the best in the current circumstance, because you will keep having to do this - it would have been better if it had been the default from the get-go - any new user by default will be able to see your files.
The alternative is to do that to yourself - create a group "daniel", make that your default group, and chown all your files to "daniel:daniel", but that's a lot more hassle.
(The first option changes *her* so she can't see your files, a simple job. The second changes *you* so she can't see your files, a lot more work and error prone.)
Groups are a wonderful and simple access control mechanism that with a little thought can deal with most situations. You just need to understand 'set thory' which is the high-faluting term for what you learnt at school drawing circles that are called called Venn Diagrams. Draw three circles, one for you, one for sally' and one you label. perhaps. 'george'. Look where they overlap. Groups are cheap, create more as you need. Create labels. You should have one for each user and perhaps make the default setting, as Wol says, specific to each user. That is the most protectionist. Then you can 'share files, by making them group readable, or perhaps writeable, for the group belonging to those overlap areas. http://www.presentation-process.com/wp-content/uploads/hexagon-venn-diagram.... Of course you can create more 'complex' overlaps. http://www.presentation-process.com/wp-content/uploads/circle-powerpoint-ven... http://2.bp.blogspot.com/_VhdC-5Gg7Ok/S_DIfpdBpbI/AAAAAAAAADs/llWoPG8L7uU/s1... https://conceptdraw.com/a2059c3/p7/preview/640/pict--4-set-venn-diagram-venn... In practice, there is a limit to what you can do with a sheet of paper, though the mathematics behind this is indefinitely extensible. Doing it might damage your brain. At some point, regardless of the fact that it CAN be done with groups, you can't understand it enough to use it, and adopt another method. This is called Role Based Access Control. Its pretty cool and easily managed for large groups of people. But you need large groups, perhaps a full multi-tiered corporate setting with plenty of job descriptions and so on in order to see how effective it can be. If you're a big enough organization to need it then you definitely need it. What sets the criteria isn't so much the number of people as the number of differentiated roles. I once worked at a shop where there were 140 programmers. Despite the number of projects active and archived there was no reason for more than 5 groups beyond one per programmer and the 'system' ones that come with the distribution like 'lp', 'bin', 'sys', 'daemon', and so on. The basic rule is: Keep it manageable and understandable. Oh, and document it and its purpose. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org