HPE Community
Operating System - Tru64 Unix
1753530 Members
4881 Online
108795 Solutions
New Discussion юеВ

Re: security file

 
fergani
Advisor

тАО01-18-2010 11:16 PM

тАО01-18-2010 11:16 PM

security file

Hi everyone;
I am using tru64 unix v5.1 and I am a junior DBA.
I created a batch file inside the root directory , so I want certain users to have privileges to execute it only,but not to open it.

Do you think should I put this file inside root directory or inside the users directory who have the privileges to execute it only,but not to open it.

bye.
0 Kudos
7 REPLIES 7
Martin Moore
HPE Pro

тАО01-19-2010 12:06 PM

тАО01-19-2010 12:06 PM

Re: security file

Access control lists might be the best solution for you. Do "man acl" for an introduction.

Martin
I work for HPE
A quick resolution to technical issues for your HPE products is just a click away HPE Support Center
See Self Help Post for more details

Accept or Kudo

0 Kudos
Pieter 't Hart
Honored Contributor

тАО01-19-2010 11:48 PM

тАО01-19-2010 11:48 PM

Re: security file

I would suggest to keep the root directory clean.
Normally I would put own jobs like this
- at least in a subdirectory of the root (like /DBAprod)
- or even on a separate filesystem
- in your own home directory
- in a central DBAuser home directory
0 Kudos
fergani
Advisor

тАО01-20-2010 12:12 AM

тАО01-20-2010 12:12 AM

Re: security file

Hi
I read the help of acl but there are many things I couldn't understand.
please could you provide my an example shown me How to get certain users to have privileges to execute a batch file only,but not to open it.

bye.
0 Kudos
Pieter 't Hart
Honored Contributor

тАО01-20-2010 12:53 AM

тАО01-20-2010 12:53 AM

Re: security file

Instead of specifying each user in an acl it's more flexible to create two extra groups in /etc/group using "sysman groups".
eg. DBAexecute and DBAread (maybe also DBAowner)
add all appropriate users to the corresponding group.
set acl on the file with permissions.
"setacl -D -u group:DBAread:r--,group:DBAexecute:--x,group:DBAowner:rwx"

With standard unix protection you could also set the group of the file to DBAexecute
"chgrp DBAexecute" and set protection with chmod so the owner can read/write and the group execute.
"chmod u=rwx,g=x,o=" (o= now owner but other!)
0 Kudos
fergani
Advisor

тАО01-21-2010 10:46 AM

тАО01-21-2010 10:46 AM

Re: security file

hi everyone
I need someone to explain me this statement:-
setacl -u group::r--,user:alpha:-w- shared

shared is the file.
I found it in the help but I don't understand.
bye
0 Kudos
Martin Moore
HPE Pro

тАО01-21-2010 10:49 AM

тАО01-21-2010 10:49 AM

Re: security file

It gives read access to the group that owns the file (which could be done with the regular file permissions just as well) and it gives write access to the file to user "alpha".

Martin
I work for HPE
A quick resolution to technical issues for your HPE products is just a click away HPE Support Center
See Self Help Post for more details

Accept or Kudo

0 Kudos
Martin Moore
HPE Pro

тАО01-21-2010 10:51 AM

тАО01-21-2010 10:51 AM

Re: security file

A further thought: have you checked out the information on ACL's in the security manual? The V5.1B manual is at http://www.tru64unix.compaq.com/docs/base_doc/DOCUMENTATION/V51B_HTML/ARH95ETE/TITLE.HTM and has a very nice writeup, IMO, on ACL's. See Chapter 2, especially section 2.3.

Martin
I work for HPE
A quick resolution to technical issues for your HPE products is just a click away HPE Support Center
See Self Help Post for more details

Accept or Kudo

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.