Andreas said the following on 08/20/2010 09:45 PM:
Hi,
I'd be happy if someone could give me a pointer to a way to have more than r,w,x for owner/group/others. Actually I need more than owner/group/others.
E.g. a user Romeo has all his stuff belong to Romeo (himself) in group Romeo. He might want to give Juliette access to his ~/poems but not to ~/exgirlfriends. So he should be able to give her +rx for just the poems-directory and noone as well as nowhere else.
By the way ... his buddy George should have access to the exgirlfriends as well as to the poems.
Of course as mere users they can't create new usergroups.
Is there a way to allow additional groups or individual users to access a file or directory like with Windows NTFS?
First, start thinking in terms of "sets" Don't think in terms of "ownership' but in terms of the "set of people who can access this file". Yes, I realise that ultimately this ends up with the kind of RBAC that SUN implemented. That is a Good Thing. Summary at http://en.wikipedia.org/wiki/Role-based_access_control <quote> The use of RBAC to manage user privileges within a single system or application is widely accepted as a best practice. Systems including Microsoft Active Directory, Microsoft SQL Server, SELinux, grsecurity, FreeBSD, Solaris, Oracle DBMS, PostgreSQL 8.1, SAP R/3, FusionForge and many others effectively implement some form of RBAC. </quote> ACLs are very primitive; they are a 1950s view of access, mainframe thoughts with small numbers of users. managing ACLs with large numbers of users (i.e. corporate, modern business, thousands and tens of thousands of users) is impractical. That is why we've turned to groups. But you HAVE to think of it as a GROUP. So long as it is an individual granting rights to other individuals its awkward. You end up in an all-or-nothing situation. I said to think in terms of 'sets'. That's the model we were taught at school. "Set Theory". Remember those overlapping circles? Well that's fine at school with up to three or four circles, but in practice you're going to start with a table. Initially it will be "people vs groups" and you just tick off the boxes. If you are dealing with the small numbers, just the example you gave, then the suggestion Carlos made of those groups and a "sudo" is fine. Bite the bullet. If you are dealing with larger groups,a corporate setting, then you should install one of the Linux RBAC packages. Go google. Many RBAC packages get labelled IAM and some -hiss-boo- talk down for the know-nothing managers and call themselves ACL, but it is just a marketing device. And hey, don't worry about 'root'. One of the RBAC roles is "RBAC-Administration". I'll say again. Assume this is HTML mail and this is is 72pt font that flashes bright red. Access Control Lists become impractical when dealing with the large numbers of users and roles of a modern business. [1] http://en.wikipedia.org/wiki/Grsecurity http://en.wikibooks.org/wiki/Grsecurity/The_RBAC_System http://www.grsecurity.net/quickstart.pdf [2] http://en.wikipedia.org/wiki/RSBAC -- It is always better to have no ideas than false ones; to believe nothing, than to believe what is wrong. --Thomas Jefferson, (letter to Rev. James Madison, July 19, 1788) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org