topic Re: user file permissions in Operating System - HP-UX

user file permissions

Michael Murphy_2 — Thu, 18 Dec 2003 11:31:34 GMT

Hello,

Does anyone know of a way to proactively keep users from creating files with open permissions (like 777)? Currently alarming on them - but management is asking if there is way to enforce this by not allowing it in the first place. My initial response was no - but I thought I would let the experts weigh in. I am aware of umask - don't think that completely fixes the problem though...

Re: user file permissions

Mark Grant — Thu, 18 Dec 2003 11:34:56 GMT

You can't stop them changing the permissions on files they have already created. You can stop them defaulting to 777 with the "umask" command in the .profile.

If I were you, instaed of alarming on these situations, I'd run a cron job that just changed them. Only those owned by the users mind!!!

If things start to break, your users will stop doing it fairly quickly.

Re: user file permissions

Pete Randall — Thu, 18 Dec 2003 11:36:06 GMT

It would be darn hard to do, I think. There's no way I can think of to prevent them changing there umask value. You could restrict the chmod and chgrp commands via permissions but they can still play with umask and end up more permissive than you would like.

Pete

Re: user file permissions

RAC_1 — Thu, 18 Dec 2003 11:37:35 GMT

You do not have control over that.

The dafult perms ar edecided by umask setting.

But a knowledable user can always override that setting.

Re: user file permissions

Paula J Frazer-Campbell — Thu, 18 Dec 2003 11:38:49 GMT

Hi
If you realy want to stop them doing it them run a cron to changew any 777 file they create to 000 and email them the results with a big security warning embedded in the email as to why 777 files are dangerous. They will soon get fed up and stop doing it.

;^)

Paula

Re: user file permissions

Paula J Frazer-Campbell — Thu, 18 Dec 2003 11:41:40 GMT

Or

Cron job =

If file with 777 found
Log them off.
Disable their login
Email them that until they stop doing it this will happen.

I can be nasty at times to users.

Paula

Re: user file permissions

Jeff Schussele — Thu, 18 Dec 2003 11:41:58 GMT

Hi Michael,

They should not be able to *create* them with 777 perms as the default umask should be 022. The could only create them with 644 because files can only be granted 666 at creation. They have to be running chmod 777 filename after creation.
This is really a user education issue unless you want to set up a cron job that will hunt 777 files down & chmod them to a sane value.

You could also try setting up the users with a 122 umask effectively taking away their write privilege after creation, but that could inhibit their work.

Rgds,
Jeff

Re: user file permissions

A. Clay Stephenson — Thu, 18 Dec 2003 11:42:00 GMT

You can play games with umask but umask is only as good as its last setting. Note that 777 has to be intentionally chmod'ed for regular files created in the shell since the creation mode (before umask is applied) for regular files is 666.

UNIX assumes that the user knows what he is doing -- there is really no answer except education. The good news is that ignorance is treatable; stupidity, on the other hand, ...

Re: user file permissions

Mark Grant — Thu, 18 Dec 2003 11:44:19 GMT

Paula,

Do you have a script that would set fire to their terminal as well?

Re: user file permissions

Jeff Schussele — Thu, 18 Dec 2003 11:48:20 GMT

I don't think she does, but I suspect she has one that'll reach out & slap 'em around a little =~))

Cheers,
Jeff

Re: user file permissions

Paula J Frazer-Campbell — Thu, 18 Dec 2003 11:58:51 GMT

Hi

Very funny guys ROTFLMFAO.

Normally I am very tolerant of users, but after being told Donâ t do it several times then it is time for the fun and games.

I once had a users that used to send me daft emails - a spare D class server, a small script and he was sent approx 50 â GO AWAYâ emails / second for 10 mins, Drastic but it worked. (I did prewarn the network guys).