HPE Community
Operating System - HP-UX
1838638 Members
3071 Online
110128 Solutions
New Discussion

Special directory permissions

 
Ron Markarian
Occasional Contributor

‎11-07-2003 06:21 AM

‎11-07-2003 06:21 AM

Special directory permissions

Goal: To create a folder that will allow a specific group of users to list the folder's contents and create new files. They should only be able to read/write files they own.

I have explored options using the sticky bit and umask but I can't seem to get them to work and i'm running out of time.

Thanks,

0 Kudos
Reply
7 REPLIES 7
Steven E. Protter
Exalted Contributor

‎11-07-2003 06:34 AM

‎11-07-2003 06:34 AM

Re: Special directory permissions

This is not so fast, but it can get the job done.

Access Control Lists(ACL)

Read this:
http://docs.hp.com/hpux/onlinedocs/os/jfs_acl.pdf

Good Luck.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎11-07-2003 06:51 AM

‎11-07-2003 06:51 AM

Re: Special directory permissions

If you create the directory with 1770 permissions with group ownership assigned to the right group, then no one other than members of that group can 'see' into the directory. The sticky bit (1000) prevents members of that group from removing or renaming the files that they do not own. umask should be set to 077 and now all files will be unreadable/unwritable by anyone except the owner.

If the users must also create additional directories, they MUST manually change the permission on the new directory. umask has no effect on sticky or UID/GID bits.


Bill Hassell, sysadmin
0 Kudos
Reply
James A. Donovan
Honored Contributor

‎11-07-2003 06:52 AM

‎11-07-2003 06:52 AM

Re: Special directory permissions

Setting the permissions on the directory to 1770 will get you close. Making sure the users umask is set to 077, at least initially, will prevent them from reading/modifying others' files. But, there is no way to enforce the umask setting. The users could modify it themselves, thus opening up their files to others.
Remember, wherever you go, there you are...
0 Kudos
Reply
Kevin Wright
Honored Contributor

‎11-07-2003 06:52 AM

‎11-07-2003 06:52 AM

Re: Special directory permissions

yep, set the sticky bit on the directory, but to avoid others read access to the files, you must change the user's umask to 066.
0 Kudos
Reply
curt larson_1
Honored Contributor

‎11-07-2003 07:13 AM

‎11-07-2003 07:13 AM

Re: Special directory permissions

the easy way is just to give rwx to the group for the directory
d---rwx--- owner mygroup ...

then whenever a file is created it is up to the owner to make sure they are the only ones with read/write permissions on the file
-rwx------ owner mygroup .....
this can be done via umask or chmod

of course the owner will have to be a member of the group, mygroup. And, there is no guarentee that the owners will maintain the proper permission.

another caveat is being the the members of the group have write permission on the directory. they will be able to remove any file. and being they can create files, they could recreate a file they removed, set the permissions, and then give the file the same owner/group as the file they removed. So, while they can not vi a file, they will be able to modify the file via a remove and recreate it with the desired contents.

the only right way is to use acl's. but they are only supported on limited types of file systems. And several utilities don't support them, nfs, tar, etc. And, of course, there is a learning curve to getting used to using them.
0 Kudos
Reply
Ron Markarian
Occasional Contributor

‎11-07-2003 07:21 AM

‎11-07-2003 07:21 AM

Re: Special directory permissions

The umask is going to apply to every file the user creates. (this directory or not). Is there away to only apply the umask to this directory.

I also looked at ACL's , but how would that help me in this situation. I don't need to differentiate between users.
0 Kudos
Reply
James A. Donovan
Honored Contributor

‎11-07-2003 07:31 AM

‎11-07-2003 07:31 AM

Re: Special directory permissions

There is no way to set a special umask for just one directory. But you may be able to sneak around the problem....

Cron up a job run by root, that runs every minute (or whatever) that changes the permissions on any file in that directory to 600. That way you can exercise at least a modicum of control.
Remember, wherever you go, there you are...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.