topic Re: User privilidges in Operating System - HP-UX

User privilidges

Adam Noble — Wed, 17 Mar 2004 10:37:17 GMT

All,

I have had a slightly strange request from a user asking if he can have privilidges to delete (housekeep) files from another users directory. After investigation I can understand his reasoning, is their a simple way of doing this. Didn't really want to go down the route of Sudo or opening up the user directory too much.

Thanks

Re: User privilidges

David Burgess — Wed, 17 Mar 2004 10:44:34 GMT

Adam,

Put them in the same group and set group permissions to allow this. However if you only want to give access to certain files this may be a bit more tricky. You may have to have the group changed on the files after they are created.

Regards,

Dave.

Re: User privilidges

Michael Schulte zur Sur — Wed, 17 Mar 2004 10:56:26 GMT

Adam,

did that solve your problem?

greetings,

Michael

Re: User privilidges

Adam Noble — Wed, 17 Mar 2004 10:57:36 GMT

Not really Michael, the reason being it would enable numerous different users to have the same privilidge i.e to delete files.

Re: User privilidges

Michael Schulte zur Sur — Wed, 17 Mar 2004 11:05:47 GMT

Adam,

another way could be access control lists. Have you worked with that before?

have a look at man acl,

Michael

Re: User privilidges

Charlie Rubeor — Wed, 17 Mar 2004 11:08:34 GMT

I don't use them myself, but I think that you should be able to use an acl to grant access to a specific user. Look at the man page for acl (man 5 acl). Depending on your filesystem, look at chacl for hfs, setacl for jfs.

hth

Re: User privilidges

Adam Noble — Wed, 17 Mar 2004 11:11:47 GMT

Thanks guys I will take a look!

Re: User privilidges

David Burgess — Wed, 17 Mar 2004 11:47:11 GMT

Is your system trusted? Trusted systems don't support ACLs unless you have jfs4 I believe. Can anyone clarify that?

Regards,

Dave.

Re: User privilidges

Mark Grant — Wed, 17 Mar 2004 11:58:22 GMT

Adam,

How about making a new group that only these two users are members of. Make this group the primary group for your first user and the second user will be able to delete these files if you set them up correctly.

Of course, if user one can't have a new primary group then we are back to square one.

Re: User privilidges

David Burgess — Wed, 17 Mar 2004 12:12:58 GMT

Adam,

using Marks idea you could have the users in multiple groups and then issue the newgrp command to change primary group before creating the files.

ie if a user is in primary group grpa and has group membership grpa and grpb then

touch file1

will create a file owned by that user with grpa membership

then run

newgrp grpb

touch file2

will create a file owned by that user with grpb membership

If only those users share one of those groups then only they can delete the files those files.

Regards,

Dave.

Re: User privilidges

David Burgess — Wed, 17 Mar 2004 12:18:39 GMT

To save the deleting user issuing the newgrp link /etc/logingroup to /etc/group.

see the man page logingroup

From that :-

"If /etc/logingroup and /etc/group are links to the same file, the default access list includes the entire set of groups associated with the user."

Regards,

Dave.

Re: User privilidges

Adam Noble — Wed, 17 Mar 2004 12:19:44 GMT

will review in morning thanks for advice.

Re: User privilidges

Charlie Rubeor — Wed, 17 Mar 2004 15:58:12 GMT

Additional info on acl

http://www.docs.hp.com/hpux/onlinedocs/os/jfs_acl.pdf