topic Special directory permissions in Operating System - HP-UX

Special directory permissions

Ron Markarian — Fri, 07 Nov 2003 14:21:06 GMT

Goal: To create a folder that will allow a specific group of users to list the folder's contents and create new files. They should only be able to read/write files they own.

I have explored options using the sticky bit and umask but I can't seem to get them to work and i'm running out of time.

Thanks,

Re: Special directory permissions

Steven E. Protter — Fri, 07 Nov 2003 14:34:48 GMT

This is not so fast, but it can get the job done.

Access Control Lists(ACL)

Read this:
http://docs.hp.com/hpux/onlinedocs/os/jfs_acl.pdf

Good Luck.

SEP

Re: Special directory permissions

Bill Hassell — Fri, 07 Nov 2003 14:51:21 GMT

If you create the directory with 1770 permissions with group ownership assigned to the right group, then no one other than members of that group can 'see' into the directory. The sticky bit (1000) prevents members of that group from removing or renaming the files that they do not own. umask should be set to 077 and now all files will be unreadable/unwritable by anyone except the owner.

If the users must also create additional directories, they MUST manually change the permission on the new directory. umask has no effect on sticky or UID/GID bits.

Re: Special directory permissions

James A. Donovan — Fri, 07 Nov 2003 14:52:44 GMT

Setting the permissions on the directory to 1770 will get you close. Making sure the users umask is set to 077, at least initially, will prevent them from reading/modifying others' files. But, there is no way to enforce the umask setting. The users could modify it themselves, thus opening up their files to others.

Re: Special directory permissions

Kevin Wright — Fri, 07 Nov 2003 14:52:50 GMT

yep, set the sticky bit on the directory, but to avoid others read access to the files, you must change the user's umask to 066.

Re: Special directory permissions

curt larson_1 — Fri, 07 Nov 2003 15:13:50 GMT

the easy way is just to give rwx to the group for the directory
d---rwx--- owner mygroup ...

then whenever a file is created it is up to the owner to make sure they are the only ones with read/write permissions on the file
-rwx------ owner mygroup .....
this can be done via umask or chmod

of course the owner will have to be a member of the group, mygroup. And, there is no guarentee that the owners will maintain the proper permission.

another caveat is being the the members of the group have write permission on the directory. they will be able to remove any file. and being they can create files, they could recreate a file they removed, set the permissions, and then give the file the same owner/group as the file they removed. So, while they can not vi a file, they will be able to modify the file via a remove and recreate it with the desired contents.

the only right way is to use acl's. but they are only supported on limited types of file systems. And several utilities don't support them, nfs, tar, etc. And, of course, there is a learning curve to getting used to using them.

Re: Special directory permissions

Ron Markarian — Fri, 07 Nov 2003 15:21:51 GMT

The umask is going to apply to every file the user creates. (this directory or not). Is there away to only apply the umask to this directory.

I also looked at ACL's , but how would that help me in this situation. I don't need to differentiate between users.

Re: Special directory permissions

James A. Donovan — Fri, 07 Nov 2003 15:31:35 GMT

There is no way to set a special umask for just one directory. But you may be able to sneak around the problem....

Cron up a job run by root, that runs every minute (or whatever) that changes the permissions on any file in that directory to 600. That way you can exercise at least a modicum of control.