Operating System - HP-UX
1834047 Members
2803 Online
110063 Solutions
New Discussion

Special Directory Permission?

 
SOLVED
Go to solution
Brahnda Eleazar
Frequent Advisor

Special Directory Permission?

Peace all,

I was asked a question like this.
Suppose there is a directory as follows: /mydir/dir1/dir2/dir3

Can we limit user1 only to dir3 in HP-UX?
That means grant that user read access to dir3 only and revoking its read access to mydir, dir1, and dir2.

As far as I know, this can't be done.
But if it can, then I'll be very interested. :)

Thanks,
=adley=
7 REPLIES 7
Senthil Kumar .A_1
Honored Contributor
Solution

Re: Special Directory Permission?

Hi,

I'm not too sure whether it can be done using ACL's or deny "rw" to parent dir and just giving them "x" permission to change directories. But, I have a workaround. It can be acheived using loopback filesystem which is often not used by many in HPUX. see the below example you will get my point...

root@somehost# cd /tmp
root@somehost# mkdir -p dir1/dir2/dir3
root@somehost# ls -ld dir1
drwxr-x--- 3 root sys 96 May 14 23:53 dir1/
root@somehost# mkdir dir_ac
root@somehost# cd dir1/dir2
root@somehost# ll
total 0
drwxr-x--- 2 root sys 96 May 14 23:53 dir3
root@somehost# chmod 777 dir3
root@somehost# cd ../..
root@somehost# ll -d dir1
drwxr-x--- 3 root sys 96 May 14 23:53 dir1
root@somehost# ll -d dir_ac
drwxr-x--- 2 root sys 96 May 14 23:53 dir_ac
root@somehost# mount -F lofs /tmp/dir1/dir2/dir3 /tmp/dir_ac

NOTE: The normal user will not be able to cd to dir1 or dir2, let alone view its content, but the user can cd to /tmp/dir_ac and do what ever he likes, inspite of the fact that dir3 is inside a restricted dir "dir1" and "dir2". lofs makes it possible to tunnel to a dir directly from different FS path. May be you wanna give it a shot.

SK
Let your effort be such, the very words to define it, by a layman - would sound like a "POETRY" ;)
Senthil Kumar .A_1
Honored Contributor

Re: Special Directory Permission?

Hi,


Apart from the above lofs solution, Here I have pasted a simple permission solution, Please choose whichever is more flexible for your need.

root@somehost# cd /tmp
root@somehost# chmod 751 dir1
root@somehost# chmod 751 dir1/dir2
root@somehost# ll -d dir1
drwxr-x--x 3 root sys 96 May 14 23:53 dir1
root@somehost# su a666632
root@somehost# cd dir1
root@somehost# ls
. unreadable
root@somehost# cd dir2
root@somehost# ls
. unreadable
root@somehost# cd dir3
root@somehost# ls
sen

SK
Let your effort be such, the very words to define it, by a layman - would sound like a "POETRY" ;)
Dennis Handly
Acclaimed Contributor

Re: Special Directory Permission?

Along with what Senthil says, you can remove read access to all but dir3 and you can still list dir3:
$ ll -ogd dir1
d-wxrwxr-x 3 96 May 14 23:13 dir1/
$ ll -og dir1
dir1 unreadable
$ ll -og dir1/dir2/dir3/
-rw-rw-r-- 1 0 May 14 23:13 a
-rw-rw-r-- 1 0 May 14 23:13 b

And if you want to limit this to a specific user and not group, you would need ACLs.

Brahnda Eleazar
Frequent Advisor

Re: Special Directory Permission?

Peace all,

Thanks to you all for the answers.
All method works, but as the requirement is to "contain" the user to only a specific folder (no traversing to the parent direcotry), I'll go with the first option.

=adley=
Peter Nikitka
Honored Contributor

Re: Special Directory Permission?

Hi,

you can give the user a restricted shell and set /mydir/dir1/dir2/dir3 as HOME.
So no leaving of that HOME directory will be possible.
This will fit only if really no other direct directory access is needed.

mfG Peter
The Universe is a pretty big place, it's bigger than anything anyone has ever dreamed of before. So if it's just us, seems like an awful waste of space, right? Jodie Foster in "Contact"
Bill Hassell
Honored Contributor

Re: Special Directory Permission?

The first choice is to stop giving users shell access when they login. The shell has a very powerful set of commands and unless you use the restricted shell (which is itself a big pain to handle), too much capability is given to non-Unix users. Change the user's shell to a menu and only show the items you want them to use. If they need to cd to different directories, store the list in your menu and any attempts to go elsewhere are not possible.


Bill Hassell, sysadmin
Brahnda Eleazar
Frequent Advisor

Re: Special Directory Permission?

Peace Peter,
I actually like your solution, but this user needs at least two directories. Well, I can ask the developers if it's possible to restrict the user to just one though :)


Peace Bill,
The user is used purely for SFTP-ing actually, not a human. So I don't think menus will work in this case, although I agree with you that menus will definitely work for humans.

=adley=