On Sat, 2004-02-21 at 20:13, scsijon wrote:

I have been asked by a small company to look at moving them off an old minicomputer to a web based system as there is no longer hardware support available (12years old).

I have no problems with meeting most of their needs except trying to match the following security requirements.

Their existing system uses a hierachial security structure.

eg.

Top Level A

Second Level B C

Third level E F G H

A can see and work on all users data files B can see and work on data files of B, E & F ONLY C can see and work on data files of C, G & H ONLY E to H can ONLY see and work on their own files.

How do I set up the User and Group Structure to support this?

Will be using 8.2 unless my copy of 9.0 arrives in the next week so i can test-bench it for a month first.

thanks in advance for any help received. scsijon

Maybe the use of ACL's may help here. I cannot remember if 8.2 has it or not. But I think that 9.0 does. I have not had time to mess around with it. But you can use ACL's along with the permiission settings that Linux has in the filesystem and you might be able to do what you want. But if you were wanting to use just the Linux file system permissions, give us a bit of time and I am sure that someone may be able to get you something that you can use. Marshall

On Sun, 22 Feb 2004 12:13, scsijon wrote:

Their existing system uses a hierachial security structure. Top Level A

Second Level B C

Third level E F G H

A can see and work on all users data files B can see and work on data files of B, E & F ONLY C can see and work on data files of C, G & H ONLY E to H can ONLY see and work on their own files.

How do I set up the User and Group Structure to support this?

I would create four groups. Grp-A, Grp-B, Grp-C, Grp-D When you assign the each user you can add additional groups to that user. e.g. For a Grp-A user, who has access to Grp-B files, you would assign him to Grp-A and the additional Grp-B For a Grp-C user, who has access to Grp-A and Grp-D files, you would assign him to Grp-C and the additional Grp-A and Grp-D Make sure the UMASK is set to 022 and it should all work. -- Regards, Graham Smith ---------------------------------------------------------

söndag 22 februari 2004 02:13 skrev scsijon:

Their existing system uses a hierachial security structure.

eg.

Top Level A

Second Level B C

Third level E F G H

A can see and work on all users data files B can see and work on data files of B, E & F ONLY C can see and work on data files of C, G & H ONLY E to H can ONLY see and work on their own files.

This sounds like La Padula model, except in the La Padula model you have no read up and no write down. There are no mandatory access control methods in Linux, there are some enhancements by SE Linux (by NSA) which provides MAC, and there are some security labels set in 2.6.x kernels, which I believe are more related to NDAC, rather than MAC (i may well be wrong on that part). To get something like the above, you could use group mebership. You could force, A as a member of group A, BC, and of group EFGH. B and C as members of BC and EFGH, and E, F, G, H as members of EFGH. Then force each user to have file creation modes 0660. However, this does not restrict the user from changing the modes set, or access to files they own.