Operating System - HP-UX
1839319 Members
2754 Online
110138 Solutions
New Discussion

Re: File Access Permissions

 
SOLVED
Go to solution
patrick coutinho
Frequent Advisor

File Access Permissions

Hi,

I have an issue which needs some help. I have a user on a box, who needs to ftp files from a particular directory to another server. Say this user is A.

There is another user B who owns these said files.

Both users A and B belong to a group dba.

The problem is that the files created have only rw permissions for the OWNER ie B. Group dba does not have READ access to these files.

So how do we ensure that User A can read these files to ftp ?

Please help. Thanks in advance

Rgds

Pat
17 REPLIES 17
Patrick Wallek
Honored Contributor

Re: File Access Permissions

If the files are only -rw------- and are owned by userb then therer are 3 ways I can think of for usera to be able to read them:

1) Have usera log in to that machine as userb -- probably not good security-wise

2) Make the files group readable since both users are in the dba group -- chmod g+r filename

3) Make the files world readable -- chmod o+r filename -- probably not a good option security wise either.

I'd go for option 2 if at all possible.
baluchen
Advisor

Re: File Access Permissions

if duplicating uid doesn't matter then goahead. else let us wait for some gurus reply..

thanks
Bala
Nicolas Dumeige
Esteemed Contributor

Re: File Access Permissions

Hello Patrick

The group doesn't matter as A and B are on different server.

Can A log as B on the remote system ? If so, B privilege will apply using ftp :
ftp -n << EOF
user A A_password
cd path
mget filenames
EOF

Have you consider using rcp :
On remote host, create a file in the B home directory like this
# cat > .rhosts
A_hostname A
^D
Logged as A, type :
rcp B_hostname:path/filename A_hostname:path

Cheers

Nicolas
All different, all Unix
Marvin Strong
Honored Contributor

Re: File Access Permissions

If userA and B are in the same group on the server you want to ftp from. (dba) then make the files r by group.

Thats probably the easiest, and most secure way.

You could make the umask 037 (rwxr-----) for UserB.

so that the files are created with the correct permissions.

KapilRaj
Honored Contributor

Re: File Access Permissions

Is there an issue if user B start creating files with a read permission to group ! (Assume both the gids are the same).

Change the umask for user-A so that he creates all files with a read to the group

Regds,

Kaps
Nothing is impossible
Dani Seely
Valued Contributor

Re: File Access Permissions

If you're concerned about the security perspective of this issue, the safest way is to change the permissions of the necessary files so that the group has read (and write, if necessary) access since both users A and B belong to the dba group. No sense making the files world writable, that would be bad practice.

If these users need continual access to new files that will continue to be created by each other, Marvin had a good suggestion to set the umask so that the group permissions will be populated correctly at the time the files are created.
Together We Stand!
Bill Hassell
Honored Contributor

Re: File Access Permissions

ftp follows the rules for the remote end. The reason is that ftp works on many, many platforms, some of which do not have the concept of a group or permissions. For Unix to Unix, you can set the ftp daemon to create all ne files with a specific umask in /etc/inetd.conf by specifying the -u option:

ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -u 007

In this case, all files sent to this server will have rw permission for both group and user. This is of course true for all files and directories created at that machine. However, a better solution is to use chmod after transferring the files. This is of course dependent on your local version of ftp. HP-UX and Linux and many other Unices have chmod as an ftp command.


Bill Hassell, sysadmin
Volker Borowski
Honored Contributor

Re: File Access Permissions

Hi,

this thread has some stuff about the umask-ftp aspect:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=278349

Volker
Sanjay_6
Honored Contributor

Re: File Access Permissions

Hi Pat,

If it is not a problem, let user B create the files with a umash 036. You can add "umask 036" in user B profile.

Remember if you do this, all the files created by userB will have read permission for the group.

Hope this helps.

Regds
RAC_1
Honored Contributor

Re: File Access Permissions

Get sudo and allow user a to do ftp.
(Effectively ftp will be run as root by usera)

Anil
There is no substitute to HARDWORK
patrick coutinho
Frequent Advisor

Re: File Access Permissions

Thanks everyone,

for so much super advice. I have a question. forgive me, for asking it as i am a novice new to HPUX. my question is "CAN ACL's HELP US out HERE? "

Points assigned. many THANX to all my friends.

regards

pat
Bill Hassell
Honored Contributor
Solution

Re: File Access Permissions

ACL (Access Control Lists) are an extension to basic file permissions. However, none of the ACL commands (chmod doesn't control ACLs) are available in ftp. An ACL can provide a finer control over the permissions with specific users. However, after you read the man pages:

man 5 acl
man aclv

you will probably not want to play with them. And certain versions of HP-UX and VxFS filesystems do not support ACLs. They don't work over NFS.


Bill Hassell, sysadmin
patrick coutinho
Frequent Advisor

Re: File Access Permissions

Thanks Bill for the info. The system i have is a Oracle Financials systems and the user is applprod i.e. the oracle appls user. I am not sure whether i should add umask 033 in the user .profile. that would cause LL files generated by this user to have the permissions rwxr--r--. What do u think ?

rgds

pat

Bill Hassell
Honored Contributor

Re: File Access Permissions

umask is a 'take-away' mask. So a zero means all starting bits on. But MOST important: files are never given x (execute) permission from umask. The 'starting' bits for a file is 666 (rw-rw-rw) and the bits for a directory are 777 (rwxrwxrwx). umask 033 will produce files that are 644 (rw-r--r--), which is exactly the same as umask 022 for files. 033 will create directories that are 744 (rwxr--r--). Try these commands to see the effects:

umask 000 ; touch f000
umask 022 ; touch f022
umask 033 ; touch f033
umask 777 ; touch f777

umask 000 ; mkdir d000
umask 022 ; mkdir d022
umask 033 ; mkdir d033
umask 777 ; mkdir d777

ls -ld f??? d???


Bill Hassell, sysadmin
patrick coutinho
Frequent Advisor

Re: File Access Permissions

Thanks Bill. will try this out

Rgds

Pat
Dani Seely
Valued Contributor

Re: File Access Permissions

Hello Pat,
I assume this is your first experience on the ITRC forum as you did not award points to the forumers for the answers you were provided. May I suggest that you take a look at the following link to learn about the points system in use here. Thanks.

http://forums1.itrc.hp.com/service/forums/helptips.do?#28

Please read the article, assess the assistance you were provided by the forumers, then reward them. Thanks!
Together We Stand!
patrick coutinho
Frequent Advisor

Re: File Access Permissions

Dear Friends,

I apologize for this mistake. It was totally unintended. I think i am having problems with my browser. Please accept my apologies. This forum is priceless for me. Will take extra care in the future. Will apply the points right away.

thanks & Regards

Pat