HPE Community
Operating System - HP-UX
1837257 Members
2401 Online
110115 Solutions
New Discussion

Folder permissions

 
SOLVED
Go to solution
sudhapage
Regular Advisor

‎04-19-2007 04:13 PM

‎04-19-2007 04:13 PM

Folder permissions

Dear all,

I have one folder in / named as 'ugs'. In this folder our application will create some folders, application is running with root permissions. So all the folders owner is root only. Root only able to edit.

But user requirement is that anybody should have read,write,execute permissions in ugs folder, So i have set permissions like below.

I have created one group name 'per', then I have added all the users into that group. Then

chown -R root:per ugs
chmod -R 777 ugs

But the problem is, whenever our application creating new folders..... root only able to edit that folders, other not able to do anything.

How we can set 777permission for new directories automatically?

or

we can set through SETUID or SETGID?? If yes provide me the examples.

Regards,
Sudhakaran.K
0 Kudos
Reply
14 REPLIES 14
A. Clay Stephenson
Acclaimed Contributor

‎04-19-2007 04:34 PM

‎04-19-2007 04:34 PM

Re: Folder permissions

777 is a very bad mode to set directories or files because it a security risk. Two things are at play when a file or directory (never say "folder" in UNIX) are created: 1) the mode 2) umask. If you will set umask to 000 in your application the the mode will be exactly as you requested.
If it ain't broke, I can fix that.
0 Kudos
Reply
sudhapage
Regular Advisor

‎04-19-2007 04:59 PM

‎04-19-2007 04:59 PM

Re: Folder permissions

Hi Stephen,

We can't do anything with that application, is there anyother way is there?

Regards,
Sudhakaran.K
0 Kudos
Reply
Ivan Krastev
Honored Contributor

‎04-19-2007 06:32 PM

‎04-19-2007 06:32 PM

Re: Folder permissions

Write a little shell script to change permissions and put it in crontab for every 5 min.

regards,
ivan
0 Kudos
Reply
sudhapage
Regular Advisor

‎04-19-2007 06:59 PM

‎04-19-2007 06:59 PM

Re: Folder permissions

Hi Ivan Krastev,

We can do like this, but the problem is folder size is more than 50 GB.

while running the script it will impact the server performance.

So user not ready to agree for this script.

Any other suggestions?

Regards,
Sudhakaran.K
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎04-19-2007 07:19 PM

‎04-19-2007 07:19 PM

Solution

Re: Folder permissions

Apparently your umask has been set to 077 (= deny everything from everyone except the owner) when starting the program.

You have to think of this as two separate problems:
1.) the files must be created with correct permissions: this is done using "umask"
2.) the files must be owned by the "per" group: this is done using setgid bits on the directories.

To solve the first problem:

Run "umask 007" before starting the program and create some files.

New files should now get permissions -rw-rw---- and new directories drwxrwx---.

If you want read-only access to everyone that is *not* a member of the group "per", set "umask 002" instead.

To fix the second problem:

To get the new files and directories automatically owned by group that owns the directory the file/directory is created in, you must set the "setgid" bit for the _directories_ only. Any new subdirectories created after this will automatically inherit the correct group _and_ the setgid bit.

The simplest way to set the setgid bit to all directories of the ugs directory tree at this point is:
find /ugs -type d | xargs chmod g+s

If there are any directories that contain a space character in their names, this command will produce error messages (as the chmod command thinks each part is a complete directory name). You must then change those directories manually with:
chmod g+s "name of directory with spaces"

MK
MK
Reply
sudhapage
Regular Advisor

‎04-19-2007 08:16 PM

‎04-19-2007 08:16 PM

Re: Folder permissions

Hi Matti,

First of all thanks for your brief & clear explanations.

Now problem is I can't set umask value to 007 or 002, because in the same server other applications also running. If I change umask value other applications will get disturb.

So we can't change the umask value.

* Is it possible to apply umask value to particular folder??

* Is there any way to achieve through ACL or etc..

Regards,
Sudhakaran.K
0 Kudos
Reply
Peter Nikitka
Honored Contributor

‎04-19-2007 10:02 PM

‎04-19-2007 10:02 PM

Re: Folder permissions

Hi,

you only need to modify the umask for this application - not globally for the whole server:
Just do it before starting the application.

Next: If possible, change the group of your application to 'per' and set the s-Bit for the group, so newly created files and directories will belong to the group 'per':

chgrp per /path/to/your/appl.exe
chmod g+s /path/to/your/appl.exe

mfG Peter
The Universe is a pretty big place, it's bigger than anything anyone has ever dreamed of before. So if it's just us, seems like an awful waste of space, right? Jodie Foster in "Contact"
0 Kudos
Reply
sudhapage
Regular Advisor

‎04-19-2007 10:15 PM

‎04-19-2007 10:15 PM

Re: Folder permissions

Hi peter,

Application side we don't have any access. We tried to inform application team, they are accepting to change umask value in application itself.

Changing the group also is not possible. Already application is running in different group.

Regards,
Sudhakaran.K
0 Kudos
Reply
sudhapage
Regular Advisor

‎04-19-2007 10:17 PM

‎04-19-2007 10:17 PM

Re: Folder permissions

Hi peter,

Now Application team is not accepting to change umask & gid.

Any other suggestions?

Regards,
Sudhakaran.K
0 Kudos
Reply
gstonian
Trusted Contributor

‎04-19-2007 10:53 PM

‎04-19-2007 10:53 PM

Re: Folder permissions

If the application is unwilling to change the umask or fix the folders after creation for creating the folder then using something like cron seems to be you only option. This will at least tidyup after the application has created the files

0 Kudos
Reply
Peter Nikitka
Honored Contributor

‎04-19-2007 10:54 PM

‎04-19-2007 10:54 PM

Re: Folder permissions

Hi,

I'm asking myself why an application team is involved:
- Is the application started my themselves or do you start the application?
If it's the task them, your job is done: forward the requirement of the users to that application team, attach the suggestion of simply changing the umask und give that feedback to your users.

If it's your task, wrap the start of the application in a two-liner:
#!/usr/bin/sh
umask 007
/start/of/application

Then change the group ownership of the directory structure under 'ugs' to match the real group of the application.

mfG Peter

mfG Peter
The Universe is a pretty big place, it's bigger than anything anyone has ever dreamed of before. So if it's just us, seems like an awful waste of space, right? Jodie Foster in "Contact"
0 Kudos
Reply
sudhapage
Regular Advisor

‎04-19-2007 11:33 PM

‎04-19-2007 11:33 PM

Re: Folder permissions

Hi peter,

We have explained the scnerio to application team, and asked them to include umask value.

They are telling, we can't include anything to their program, and also they are client for us. So we can't order them.

Now user requesting to do this task through operating system commands.

Regards,
Sudhakaran.K
0 Kudos
Reply
Peter Nikitka
Honored Contributor

‎04-20-2007 12:13 AM

‎04-20-2007 12:13 AM

Re: Folder permissions

Hi,

ok, customer is king, or something tike that ...

Are there arguments against solution2?

mfG Peter
The Universe is a pretty big place, it's bigger than anything anyone has ever dreamed of before. So if it's just us, seems like an awful waste of space, right? Jodie Foster in "Contact"
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎04-20-2007 02:16 AM

‎04-20-2007 02:16 AM

Re: Folder permissions

This is nonsense. In the worst case all you have to do is create a wrapper for the application that does nothing more than set umask and invoke the "real" application. Umask is inherited from the parent process. Now it is possible that the application explicitly sets umask and/or the creation mode of the files and directories --- and if that is the case then the only fix is modifying the application. I suspect that what is really happening is that the application is trying to protect you from yourself because asking for 777 modes is less than smart --- and the vendor is trying to avoid telling you that your request is dumb and dangerous.
If it ain't broke, I can fix that.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.