[opensuse] Howto use extended filesystem rights ?
Hi, I'd be happy if someone could give me a pointer to a way to have more than r,w,x for owner/group/others. Actually I need more than owner/group/others. E.g. a user Romeo has all his stuff belong to Romeo (himself) in group Romeo. He might want to give Juliette access to his ~/poems but not to ~/exgirlfriends. So he should be able to give her +rx for just the poems-directory and noone as well as nowhere else. By the way ... his buddy George should have access to the exgirlfriends as well as to the poems. Of course as mere users they can't create new usergroups. Is there a way to allow additional groups or individual users to access a file or directory like with Windows NTFS? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
* Andreas <maps.on@gmx.net> [08-20-10 21:44]:
I'd be happy if someone could give me a pointer to a way to have more than r,w,x for owner/group/others. Actually I need more than owner/group/others.
...
Is there a way to allow additional groups or individual users to access a file or directory like with Windows NTFS?
man groupadd make additional groups, give rights to specific files by group and interested individuals to specific groups. -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 2010-08-21 03:45, Andreas wrote:
Hi,
I'd be happy if someone could give me a pointer to a way to have more than r,w,x for owner/group/others. Actually I need more than owner/group/others.
E.g. a user Romeo has all his stuff belong to Romeo (himself) in group Romeo. He might want to give Juliette access to his ~/poems but not to ~/exgirlfriends. So he should be able to give her +rx for just the poems-directory and noone as well as nowhere else.
By the way ... his buddy George should have access to the exgirlfriends as well as to the poems.
Interesting example! X'-) Well... You should create groups "romeops" and "romeogf". Add Juliette to group "romeops", and George to group "romeogf". Then "chgrp romeops ~/poems" and "chgrp romeogf ~/exgirlfriends". Finally, allow read permission to those two directories to groups.
Of course as mere users they can't create new usergroups.
Right. Perhaps with sudo, though. Have a look in "man acl". It is more versatile, but I don't know how to use it, nor if a user can do it. -- Cheers / Saludos, Carlos E. R. (from 11.2 x86_64 "Emerald" GM (Elessar))
Carlos E. R. wrote:
On 2010-08-21 03:45, Andreas wrote:
Hi,
I'd be happy if someone could give me a pointer to a way to have more than r,w,x for owner/group/others. Actually I need more than owner/group/others. Have a look in "man acl". It is more versatile, but I don't know how to use it, nor if a user can do it.
Use 'chacl' it's a better interface. setacl/getacl are based on the system calls and not really intended for humans, but more for programs. I always have to look at an example when I use it and don't 'super' understand the 'mask' (for some reason it's used to replace the umask, but not sure why that was considered necessary). I wrote a primitive script to allow to list them: ~romeo/poems> lsacl * [u::rw-,u:juliet:rw-,g::---,m::---,o::---] mylove [u::rw-,g::---,o::---] sonnet1 [u::rw-,g::---,o::---] sonnet2 There's also a QT facility to do single-file acl modifications that does make it more graphically clear but isn't so convenient when doing multiple files: ("Eiciel" - in the suse11.2 distro -- I think it's a french pronunciation of ACL) I don't know all the best ways to use chacl, but this is how you would do what you wanted to do - (note this presume you are using a file system that supports user-level ACL's like XFS or such. If your filesystem doesn't support user-level acl's, you might consider changing your file system to one that does) But assuming your fs supports user-level acl's: then suppose I wanted to add juliet to have access to the rest of them. For whatever reason, when you specify an acl, you always need to include the defaults (user group and other). The mask is necessary when adding any any user (other than the default ones, but for those, you don't need acl's). ~romeo/poems> chacl u::rw-,g::--,o::--,u:juliet:r--,m::-- * ~romeo/poems> lsacl * [u::rw-,u:juliet:r--,g::---,m::---,o::---] mylove [u::rw-,u:juliet:r--,g::---,m::---,o::---] sonnet1 [u::rw-,u:juliet:r--,g::---,m::---,o::---] sonnet2 The format is 1 letter for type (u=user, g=group, o=other), then colon, then "name" of user or group (or blank for default user/group), colon, and 3 characters for r/ead, w/rite, e/x/ecute "rwx" any place where you have the letter it gives the permission, if you don't want to give the permission you use a minus: I only gave 'r' access, so I used a '-' in place of the w and x. The brackets are only there when you list (chacl -l <path> = list <path>), not when you enter them. On a directly you have 2 access lists. 1 for the directory itself, and a very useful ACL, that allows you to specify the *default* acl for each file or subdir you create under that. So if I wanted to make sure that juliet had read access to the directory those files were in AND give her default access to access future files in there (but still restricting others): cmd both acl on the dir itslf (space) default acl for new file nameofdir chacl -b u::rwx,u:juliet:r-x,g::---,m::---,o::--- u::rw,u:juliet:r--,g::---,m::---,o::--- . (it's all in man chacl if my example is lame) then chacl -l . shows: [u::rwx,u:juliet:r-x,g::---,m::---,o::---/u::rw-,u:juliet:r--,g::---,m::---,o::---] . For single files eiciel seem like it would be a big bonus in visualizing what is going on, but Since I work with multiple files, I haven't made much use of it other than to try it out. Hope this is what you meant.... -linda -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2010-08-21 05:46, Linda Walsh wrote:
Use 'chacl' it's a better interface.
setacl/getacl are based on the system calls and not really intended for humans, but more for programs.
... Thanks for the explanation. Guess I'll have to come to terms with this some time :-) - -- Cheers, Carlos E. R. (from 11.2 x86_64 "Emerald" at Elessar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkxv1hMACgkQU92UU+smfQX51gCffQK2M14+OM0DR5aHldAsWTw3 cOAAnAqyfJBDGC2yua3IRtgate+tKAMa =HLf+ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, Aug 20, 2010 at 08:46:10PM -0700, Linda Walsh wrote:
Carlos E. R. wrote:
On 2010-08-21 03:45, Andreas wrote:
Hi,
I'd be happy if someone could give me a pointer to a way to have more than r,w,x for owner/group/others. Actually I need more than owner/group/others. Have a look in "man acl". It is more versatile, but I don't know how to use it, nor if a user can do it.
Use 'chacl' it's a better interface.
setacl/getacl are based on the system calls and not really intended for humans, but more for programs.
The libraries are for programs. While getfacl and setfacl are the command line tools to set and get Access Control Lists (ACLs) of files and directories.
I always have to look at an example when I use it and don't 'super' understand the 'mask' (for some reason it's used to replace the umask, but not sure why that was considered necessary).
Read http://www.suse.de/~agruen/acl/linux-acls/online/ if you like to know why they are implemented as they are.
I wrote a primitive script to allow to list them: ~romeo/poems> lsacl * [u::rw-,u:juliet:rw-,g::---,m::---,o::---] mylove [u::rw-,g::---,o::---] sonnet1 [u::rw-,g::---,o::---] sonnet2
Using "getfacl --tab <file|dirrectory>" might help too. Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
Andreas said the following on 08/20/2010 09:45 PM:
Hi,
I'd be happy if someone could give me a pointer to a way to have more than r,w,x for owner/group/others. Actually I need more than owner/group/others.
E.g. a user Romeo has all his stuff belong to Romeo (himself) in group Romeo. He might want to give Juliette access to his ~/poems but not to ~/exgirlfriends. So he should be able to give her +rx for just the poems-directory and noone as well as nowhere else.
By the way ... his buddy George should have access to the exgirlfriends as well as to the poems.
Of course as mere users they can't create new usergroups.
Is there a way to allow additional groups or individual users to access a file or directory like with Windows NTFS?
First, start thinking in terms of "sets" Don't think in terms of "ownership' but in terms of the "set of people who can access this file". Yes, I realise that ultimately this ends up with the kind of RBAC that SUN implemented. That is a Good Thing. Summary at http://en.wikipedia.org/wiki/Role-based_access_control <quote> The use of RBAC to manage user privileges within a single system or application is widely accepted as a best practice. Systems including Microsoft Active Directory, Microsoft SQL Server, SELinux, grsecurity, FreeBSD, Solaris, Oracle DBMS, PostgreSQL 8.1, SAP R/3, FusionForge and many others effectively implement some form of RBAC. </quote> ACLs are very primitive; they are a 1950s view of access, mainframe thoughts with small numbers of users. managing ACLs with large numbers of users (i.e. corporate, modern business, thousands and tens of thousands of users) is impractical. That is why we've turned to groups. But you HAVE to think of it as a GROUP. So long as it is an individual granting rights to other individuals its awkward. You end up in an all-or-nothing situation. I said to think in terms of 'sets'. That's the model we were taught at school. "Set Theory". Remember those overlapping circles? Well that's fine at school with up to three or four circles, but in practice you're going to start with a table. Initially it will be "people vs groups" and you just tick off the boxes. If you are dealing with the small numbers, just the example you gave, then the suggestion Carlos made of those groups and a "sudo" is fine. Bite the bullet. If you are dealing with larger groups,a corporate setting, then you should install one of the Linux RBAC packages. Go google. Many RBAC packages get labelled IAM and some -hiss-boo- talk down for the know-nothing managers and call themselves ACL, but it is just a marketing device. And hey, don't worry about 'root'. One of the RBAC roles is "RBAC-Administration". I'll say again. Assume this is HTML mail and this is is 72pt font that flashes bright red. Access Control Lists become impractical when dealing with the large numbers of users and roles of a modern business. [1] http://en.wikipedia.org/wiki/Grsecurity http://en.wikibooks.org/wiki/Grsecurity/The_RBAC_System http://www.grsecurity.net/quickstart.pdf [2] http://en.wikipedia.org/wiki/RSBAC -- It is always better to have no ideas than false ones; to believe nothing, than to believe what is wrong. --Thomas Jefferson, (letter to Rev. James Madison, July 19, 1788) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (7)
-
Andreas -
Anton Aylward -
Carlos E. R. -
Carlos E. R. -
Lars Müller -
Linda Walsh -
Patrick Shanahan