topic Re: rights/permissions -- plz help in Operating System - Linux

rights/permissions -- plz help

Maaz — Wed, 09 Feb 2005 13:08:39 GMT

Dear Gurus

how can i implement the permissions on the directory(say /data) so that users

0, Read the file(s)
1, cant delete the file(s)
2, cant delete the contents(previously written data) of the file(s)
3, but they can append the in the file(s) i.e they cant change/remove previously saved data in the file, but they can append the data.

plz help me implemet the above mentioned permissions.

Thanx in adv.

Regards
Maaz

Re: rights/permissions -- plz help

Rick Garland — Wed, 09 Feb 2005 13:32:43 GMT

In using just the straight permissions and ownerships.

Can't have a writable file that is forbidden to be deleted.

The other option is to investigate Access Control Lists (ACLs). This will offer finer control options that you seek.

Re: rights/permissions -- plz help

Dexter Filmore — Wed, 09 Feb 2005 20:22:35 GMT

Try:

chmod 744 /data

This will achieve all but 3). Maybe you can try investigating ACLs as per Rick's suggestion.

Re: rights/permissions -- plz help

Florian Heigl (new acc) — Wed, 09 Feb 2005 22:09:47 GMT

Maaz:

3) this - per default - only works on systems that (know securelevels and *) the chflags command.

chflags uappnd filename

but, if I remember correctly there are patches for linux to get You the chflags command. But I have no idea where I read that.

ACLs would only allow You to set a permission, but change includes overwriting, so this is useless.

*) more specific: it only makes sense if You have securelevels so that noone can remove the flag.

Re: rights/permissions -- plz help

Maaz — Thu, 10 Feb 2005 12:08:39 GMT

Thanx Dear All for the help/reply

Re: rights/permissions -- plz help

Maaz — Thu, 10 Feb 2005 12:24:14 GMT

Dear Florian Heigl if u(any one is invited) can plz explain the "securelevels"

Regards
Maaz

Re: rights/permissions -- plz help

Ranjith_5 — Thu, 10 Feb 2005 13:14:01 GMT

Hi Maaz,

Use a stickybit so that only owner of the file will be able to delete the file.

Set the basic permission
#chmod 766

After that

#chmod u+t ( Sticky bit )

After setting stickybit the permissions can be viewed as follows.

-rwxrw-rwT 1 root sys 1276 Jul 12 2002 xyz

See man page of chmod for more info.

Regards,
Syam

Re: rights/permissions -- plz help

Ranjith_5 — Thu, 10 Feb 2005 13:15:30 GMT

Hi Maaz,

A good doc here for your reference.

http://docs.hp.com/en/B2355-90672/ch12s06.html

Regards,
Syam

Re: rights/permissions -- plz help

Maaz — Fri, 11 Feb 2005 14:09:31 GMT

thnx dear Syam

and again I m repeating my question.. Dear Florian Heigl if u(any one is invited) can plz explain the "securelevels"

Regards
Maaz

Re: rights/permissions -- plz help

David Child_1 — Fri, 11 Feb 2005 16:25:59 GMT

Maaz,

Another option would be;

1. limit access to read-only on the directories and files.
2. Create a script that would only allow appending to existing file
3. Set up 'sudo' with a "RUNAS" option.
4. Add the script you created to the sudo definition.

You'll need to keep tight control of the permissions for this script so no one can give themselves extra privileges.

Example:
chown security:security /data
chmod 755 /data

Sudoers might have something like:

User_Alias APPEND_USERS=operator1,opereator2
Host_Alias APPEND_SERVER=myhost
Runas_Alias APPEND_RUNAS=security
Cmnd_Alias APPEND_CMD=/usr/local/secure/append_script.ksh
APPEND_USERS APPEND_SERVER=(APPEND_RUNAS) APPEND_CMD

Then they (operator1, operator2, etc.) would run it as:

$ sudo /usr/local/secure/append_script.ksh

David

Re: rights/permissions -- plz help

Maaz — Sat, 12 Feb 2005 00:09:48 GMT

Nice help dear David Child

Thanx n Regards
Maaz