|
Posted by Starfish on October 11, 2006, 9:18 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hello, if someone can answer this question you make a lot of Uppsala
University students happy.
Here goes: How do you specify negative permission=B9 in Unix/Linux
without using ACLs?
=B9E.g. saying that the user "Ellen" should not have write access to a
file regardless of the permissions given to her groups.
|
|
Posted by Walter Roberson on October 11, 2006, 11:04 am
If you were Registered and logged in, you could reply and use other advanced thread options
>Hello, if someone can answer this question you make a lot of Uppsala
>University students happy.
>Here goes: How do you specify negative permissionš in Unix/Linux
>without using ACLs?
>šE.g. saying that the user "Ellen" should not have write access to a
>file regardless of the permissions given to her groups.
You find something that fills the same role as an ACL but which
someone has called something different.
In some cases, you -might- be able to work something out with
exclusive mandatory locking and file access monitoring capabilities,
to have a program which checked to see who was trying to do the
access and refused to give up control if it was the "wrong" person.
But this would be difficult to do at all without using a device
driver.
You could use a loadable driver to put the file into your own
filesystem that did whatever permission enforcement you wanted.
You could put the file into an NFS filesystem that specified a
userid map that mapped Ellen's access to "nobody". You -might- be
able to do that with a loop-back filesystem, mounting the
file into a point on the tree that could be reached by everyone,
when the real file resided inside a fully-protected directory.
|
|
Posted by Chris Mattern on October 11, 2006, 3:49 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>Hello, if someone can answer this question you make a lot of Uppsala
>University students happy.
>
>Here goes: How do you specify negative permissionš in Unix/Linux
>without using ACLs?
>
>šE.g. saying that the user "Ellen" should not have write access to a
>file regardless of the permissions given to her groups.
>
You don't. That's why they invented ACLs, because standard
UNIX permissions can't do that sort of thing.
--
Christopher Mattern
"Which one you figure tracked us?"
"The ugly one, sir."
"...Could you be more specific?"
|
|
Posted by Sebastian Gottschalk on October 11, 2006, 4:02 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>>Hello, if someone can answer this question you make a lot of Uppsala
>>University students happy.
>>
>>Here goes: How do you specify negative permissionš in Unix/Linux
>>without using ACLs?
>>
>>šE.g. saying that the user "Ellen" should not have write access to a
>>file regardless of the permissions given to her groups.
>>
>
> You don't. That's why they invented ACLs, because standard
> UNIX permissions can't do that sort of thing.
Actually Unix permissions are a very restricted implementation of ACLs with
owner-user, owner-group, three fixed entries (owner, group, others) and
three permissions (read, write, exec). Yeah, you may add some bits, but
that's generally how it works.
And such a scenario as above can even be achieved with Unix permissions: by
creating a new group that excludes Ellen, changing the owner-group of the
file accordingly and not allowing write access to others.
The obvious problem is management overhead, inflexibility and especially
state explosion (you generally need as many groups as files if they all
have different permissions). And that's why unrestricted ACLs are more
appropriate.
|
|
Posted by Barry Margolin on October 11, 2006, 11:38 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Hello, if someone can answer this question you make a lot of Uppsala
> University students happy.
>
> Here goes: How do you specify negative permissionš in Unix/Linux
> without using ACLs?
>
> šE.g. saying that the user "Ellen" should not have write access to a
> file regardless of the permissions given to her groups.
Make ellen the owner of the file, and omit the write permission from the
owner, i.e.
chown ellen filename
chmod o-w filename
However, a problem with this is that since ellen is the owner, she can
change the permissions and give herself write permissions. So this is
really only useful as a safety net, or in restricted environments where
users don't have access to the chmod command (e.g. it can be useful on
FTP servers -- you can create an anonymous upload directory where the
anonymous userid doesn't have any permissions to the files they've
created).
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
|
|
XML site map