Please Help with a Users/Groups problem
I have been asked by a small company to look at moving them off an old minicomputer to a web based system as there is no longer hardware support available (12years old). I have no problems with meeting most of their needs except trying to match the following security requirements. Their existing system uses a hierachial security structure. eg. Top Level A Second Level B C Third level E F G H A can see and work on all users data files B can see and work on data files of B, E & F ONLY C can see and work on data files of C, G & H ONLY E to H can ONLY see and work on their own files. How do I set up the User and Group Structure to support this? Will be using 8.2 unless my copy of 9.0 arrives in the next week so i can test-bench it for a month first. thanks in advance for any help received. scsijon
On Sat, 2004-02-21 at 20:13, scsijon wrote:
I have been asked by a small company to look at moving them off an old minicomputer to a web based system as there is no longer hardware support available (12years old).
I have no problems with meeting most of their needs except trying to match the following security requirements.
Their existing system uses a hierachial security structure.
eg.
Top Level A
Second Level B C
Third level E F G H
A can see and work on all users data files B can see and work on data files of B, E & F ONLY C can see and work on data files of C, G & H ONLY E to H can ONLY see and work on their own files.
How do I set up the User and Group Structure to support this?
Will be using 8.2 unless my copy of 9.0 arrives in the next week so i can test-bench it for a month first.
thanks in advance for any help received. scsijon
Maybe the use of ACL's may help here. I cannot remember if 8.2 has it or not. But I think that 9.0 does. I have not had time to mess around with it. But you can use ACL's along with the permiission settings that Linux has in the filesystem and you might be able to do what you want. But if you were wanting to use just the Linux file system permissions, give us a bit of time and I am sure that someone may be able to get you something that you can use. Marshall
scsijon wrote:
Their existing system uses a hierachial security structure. Top Level A Second Level B C Third level E F G H
A can see and work on all users data files B can see and work on data files of B, E & F ONLY C can see and work on data files of C, G & H ONLY E to H can ONLY see and work on their own files.
How do I set up the User and Group Structure to support this?
If you set up a group for each individual and then just make them members of the appropriate group, does that not solve it? i.e. E is a member only of Egroup; similarly F, G, H B is a member of Bgroup, Egroup and Fgroup; C similarly A is a member of all groups. Cheers, Dave
On Sun, 22 Feb 2004 12:13, scsijon wrote:
Their existing system uses a hierachial security structure. Top Level A
Second Level B C
Third level E F G H
A can see and work on all users data files B can see and work on data files of B, E & F ONLY C can see and work on data files of C, G & H ONLY E to H can ONLY see and work on their own files.
How do I set up the User and Group Structure to support this?
I would create four groups. Grp-A, Grp-B, Grp-C, Grp-D When you assign the each user you can add additional groups to that user. e.g. For a Grp-A user, who has access to Grp-B files, you would assign him to Grp-A and the additional Grp-B For a Grp-C user, who has access to Grp-A and Grp-D files, you would assign him to Grp-C and the additional Grp-A and Grp-D Make sure the UMASK is set to 022 and it should all work. -- Regards, Graham Smith ---------------------------------------------------------
I have been asked by a small company to look at moving them off an old
minicomputer to a web based system as there is no longer hardware support available (12years old).
I have no problems with meeting most of their needs except trying to match the following security requirements.
Their existing system uses a hierachial security structure. I tend to agree with Marshall's suggestion that you use ACLs. The group structures proposed by the other respondents are also useful. Many
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sun, 22 Feb 2004 12:13:17 +1100
scsijon
Ok, i'll look at this BUT what does ACL stand for I don't remember coming against this before (or maybe I know it as something else). I really hate tla (three letter acronyms) regards and thanks for the sugestions received so far. scsijon At 09:36 AM 23/02/2004, Jerry Feldman wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sun, 22 Feb 2004 12:13:17 +1100 scsijon
wrote: I have been asked by a small company to look at moving them off an old
minicomputer to a web based system as there is no longer hardware support available (12years old).
I have no problems with meeting most of their needs except trying to match the following security requirements.
Their existing system uses a hierachial security structure. I tend to agree with Marshall's suggestion that you use ACLs. The group structures proposed by the other respondents are also useful. Many proprietary operating systems, such as DEC's VMS used ACL. ACL is a much stronger security method than user/group. AFAIK, ACL has been available in Linux for several years.
- -- Jerry Feldman
Boston Linux and Unix user group http://www.blu.org PGP key id:C5061EA9 PGP Key fingerprint:053C 73EC 3AC1 5C44 3E14 9245 FB00 3ED5 C506 1EA9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFAOg/f+wA+1cUGHqkRAl5eAJ9eoiqJLtk/H1Hw26Fxwe2OKGF1YgCeMvsL Y9ESptGIPldC1V8I4ymhuZ0= =6RP5 -----END PGP SIGNATURE-----
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Mon, 2004-02-23 at 23:23, scsijon wrote:
Ok, i'll look at this BUT what does ACL stand for I don't remember coming against this before (or maybe I know it as something else).
ACL stands for Access Control List. ACL will allow you to set up permissions that are very restrictive. Take a look at the SuSE documentation when you get 9.0. It talks about ACL in the guides. HTH Marshall
On 02/24/2004 12:23 PM, scsijon wrote:
Ok, i'll look at this BUT what does ACL stand for I don't remember coming against this before (or maybe I know it as something else).
Access Control List -- Joe Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Web Address: http://www.mydestiny.net/~joe_morris Registered Linux user 231871 God said, I AM that I AM. I say, by the grace of God, I am what I am.
On Mon, 2004-02-23 at 23:23, scsijon wrote:
Ok, i'll look at this BUT what does ACL stand for I don't remember coming against this before (or maybe I know it as something else).
I really hate tla (three letter acronyms)
regards and thanks for the sugestions received so far.
scsijon
ACL = access control list -- Ken Schneider unix user since 1989 linux user since 1994 SuSE user since 1998 (5.2)
söndag 22 februari 2004 02:13 skrev scsijon:
Their existing system uses a hierachial security structure.
eg.
Top Level A
Second Level B C
Third level E F G H
A can see and work on all users data files B can see and work on data files of B, E & F ONLY C can see and work on data files of C, G & H ONLY E to H can ONLY see and work on their own files.
This sounds like La Padula model, except in the La Padula model you have no read up and no write down. There are no mandatory access control methods in Linux, there are some enhancements by SE Linux (by NSA) which provides MAC, and there are some security labels set in 2.6.x kernels, which I believe are more related to NDAC, rather than MAC (i may well be wrong on that part). To get something like the above, you could use group mebership. You could force, A as a member of group A, BC, and of group EFGH. B and C as members of BC and EFGH, and E, F, G, H as members of EFGH. Then force each user to have file creation modes 0660. However, this does not restrict the user from changing the modes set, or access to files they own.
participants (8)
-
Dave Howorth
-
Graham Smith
-
Jerry Feldman
-
Joe Morris (NTM)
-
Kenneth Schneider
-
Marshall Heartley
-
scsijon
-
Örn Hansen