topic Re: File Access Permissions in Operating System - HP-UX

File Access Permissions

patrick coutinho — Thu, 29 Apr 2004 08:06:17 GMT

Hi,

I have an issue which needs some help. I have a user on a box, who needs to ftp files from a particular directory to another server. Say this user is A.

There is another user B who owns these said files.

Both users A and B belong to a group dba.

The problem is that the files created have only rw permissions for the OWNER ie B. Group dba does not have READ access to these files.

So how do we ensure that User A can read these files to ftp ?

Please help. Thanks in advance

Rgds

Pat

Re: File Access Permissions

Patrick Wallek — Thu, 29 Apr 2004 08:13:45 GMT

If the files are only -rw------- and are owned by userb then therer are 3 ways I can think of for usera to be able to read them:

1) Have usera log in to that machine as userb -- probably not good security-wise

2) Make the files group readable since both users are in the dba group -- chmod g+r filename

3) Make the files world readable -- chmod o+r filename -- probably not a good option security wise either.

I'd go for option 2 if at all possible.

Re: File Access Permissions

baluchen — Thu, 29 Apr 2004 08:13:56 GMT

if duplicating uid doesn't matter then goahead. else let us wait for some gurus reply..

thanks
Bala

Re: File Access Permissions

Nicolas Dumeige — Thu, 29 Apr 2004 08:15:39 GMT

Hello Patrick

The group doesn't matter as A and B are on different server.

Can A log as B on the remote system ? If so, B privilege will apply using ftp :
ftp -n << EOF
user A A_password
cd path
mget filenames
EOF

Have you consider using rcp :
On remote host, create a file in the B home directory like this
# cat > .rhosts
A_hostname A
^D
Logged as A, type :
rcp B_hostname:path/filename A_hostname:path

Cheers

Nicolas

Re: File Access Permissions

Marvin Strong — Thu, 29 Apr 2004 08:24:56 GMT

If userA and B are in the same group on the server you want to ftp from. (dba) then make the files r by group.

Thats probably the easiest, and most secure way.

You could make the umask 037 (rwxr-----) for UserB.

so that the files are created with the correct permissions.

Re: File Access Permissions

KapilRaj — Thu, 29 Apr 2004 08:31:18 GMT

Is there an issue if user B start creating files with a read permission to group ! (Assume both the gids are the same).

Change the umask for user-A so that he creates all files with a read to the group

Regds,

Kaps

Re: File Access Permissions

Dani Seely — Thu, 29 Apr 2004 08:36:54 GMT

If you're concerned about the security perspective of this issue, the safest way is to change the permissions of the necessary files so that the group has read (and write, if necessary) access since both users A and B belong to the dba group. No sense making the files world writable, that would be bad practice.

If these users need continual access to new files that will continue to be created by each other, Marvin had a good suggestion to set the umask so that the group permissions will be populated correctly at the time the files are created.

Re: File Access Permissions

Bill Hassell — Thu, 29 Apr 2004 09:12:53 GMT

ftp follows the rules for the remote end. The reason is that ftp works on many, many platforms, some of which do not have the concept of a group or permissions. For Unix to Unix, you can set the ftp daemon to create all ne files with a specific umask in /etc/inetd.conf by specifying the -u option:

ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -u 007

In this case, all files sent to this server will have rw permission for both group and user. This is of course true for all files and directories created at that machine. However, a better solution is to use chmod after transferring the files. This is of course dependent on your local version of ftp. HP-UX and Linux and many other Unices have chmod as an ftp command.

Re: File Access Permissions

Volker Borowski — Thu, 29 Apr 2004 11:12:18 GMT

Hi,

this thread has some stuff about the umask-ftp aspect:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=278349

Volker

Re: File Access Permissions

Sanjay_6 — Thu, 29 Apr 2004 11:23:47 GMT

Hi Pat,

If it is not a problem, let user B create the files with a umash 036. You can add "umask 036" in user B profile.

Remember if you do this, all the files created by userB will have read permission for the group.

Hope this helps.

Regds

Re: File Access Permissions

RAC_1 — Thu, 29 Apr 2004 11:29:19 GMT

Get sudo and allow user a to do ftp.
(Effectively ftp will be run as root by usera)

Anil

Re: File Access Permissions

patrick coutinho — Thu, 29 Apr 2004 14:43:05 GMT

Thanks everyone,

for so much super advice. I have a question. forgive me, for asking it as i am a novice new to HPUX. my question is "CAN ACL's HELP US out HERE? "

Points assigned. many THANX to all my friends.

regards

pat

Re: File Access Permissions

Bill Hassell — Thu, 29 Apr 2004 14:53:02 GMT

ACL (Access Control Lists) are an extension to basic file permissions. However, none of the ACL commands (chmod doesn't control ACLs) are available in ftp. An ACL can provide a finer control over the permissions with specific users. However, after you read the man pages:

man 5 acl
man aclv

you will probably not want to play with them. And certain versions of HP-UX and VxFS filesystems do not support ACLs. They don't work over NFS.

Re: File Access Permissions

patrick coutinho — Fri, 30 Apr 2004 06:18:37 GMT

Thanks Bill for the info. The system i have is a Oracle Financials systems and the user is applprod i.e. the oracle appls user. I am not sure whether i should add umask 033 in the user .profile. that would cause LL files generated by this user to have the permissions rwxr--r--. What do u think ?

rgds

pat

Re: File Access Permissions

Bill Hassell — Fri, 30 Apr 2004 07:43:47 GMT

umask is a 'take-away' mask. So a zero means all starting bits on. But MOST important: files are never given x (execute) permission from umask. The 'starting' bits for a file is 666 (rw-rw-rw) and the bits for a directory are 777 (rwxrwxrwx). umask 033 will produce files that are 644 (rw-r--r--), which is exactly the same as umask 022 for files. 033 will create directories that are 744 (rwxr--r--). Try these commands to see the effects:

umask 000 ; touch f000
umask 022 ; touch f022
umask 033 ; touch f033
umask 777 ; touch f777

umask 000 ; mkdir d000
umask 022 ; mkdir d022
umask 033 ; mkdir d033
umask 777 ; mkdir d777

ls -ld f??? d???

Re: File Access Permissions

patrick coutinho — Fri, 30 Apr 2004 15:22:00 GMT

Thanks Bill. will try this out

Rgds

Pat

Re: File Access Permissions

Dani Seely — Tue, 18 May 2004 22:37:08 GMT

Hello Pat,
I assume this is your first experience on the ITRC forum as you did not award points to the forumers for the answers you were provided. May I suggest that you take a look at the following link to learn about the points system in use here. Thanks.

http://forums1.itrc.hp.com/service/forums/helptips.do?#28

Please read the article, assess the assistance you were provided by the forumers, then reward them. Thanks!

Re: File Access Permissions

patrick coutinho — Wed, 19 May 2004 02:05:09 GMT

Dear Friends,

I apologize for this mistake. It was totally unintended. I think i am having problems with my browser. Please accept my apologies. This forum is priceless for me. Will take extra care in the future. Will apply the points right away.

thanks & Regards

Pat