Solved

Newbie question : Protection scheme in UNIX

Posted on 1998-08-15
5
1,099 Views
Last Modified: 2010-04-21
Hello,
Suppose there are 10000 users and I want to allow 9990 of these
users to be able to access one file. The remain 10 are not allowed.
I can imagine two possible solutions :
Solution 1 :
1) assign the 9990 people into the group, say, groupa
2) assign the remain 10 people into another group , say groupb
3) change the group ownership of the file to groupa so that
only groupa's people can read/write/excute it.

However, i worry anyone in groupa will change the mode of the
file by some program like chmod o+rwx filename or some other
 program written by someone , so that groupb's people can
 read the file.

Solution 2 :
1) assign the 10 people into another group , say groupb
2) change the group ownership of the file to groupb
3)  chmod o+rx
chmod g-rx filename
 so that the groupb's people cannot read it but other group can
read it.

Which one work better ? And another more effective scheme?
Many thanks.
rgds.
alanpong@hkstar.com
0
Comment
Question by:alanpong
  • 2
  • 2
5 Comments
 
LVL 5

Expert Comment

by:julio011597
ID: 2009239
You can use solution 1, but give group A read/execute rights only.
Whoever has got write rights can modify a file, including its permissions.

Regards, julio
0
 
LVL 1

Author Comment

by:alanpong
ID: 2009240
-r-xr-x---     root   groupa    1 Aug 16 00:32  myfile

Just imagination, i've never tried to change the ownship of the file.
Do you mean if the owner is 'root' (or someone else)  and the attributes of the file is like above, no one else  in groupa can use chmod?

Thanks
rgds.
alan
0
 
LVL 5

Expert Comment

by:julio011597
ID: 2009241
AFAIK, so it is.
See 'man chmod' for more details.

-julio
0
 
LVL 3

Accepted Solution

by:
dhm earned 50 total points
ID: 2009242
Both solutions would work, but your solution 2 is easier, since you only have to add 10 people to the group that can't read the file, instead of 9990 to the group that can.  Only the owner of the file (or root) can change the permissions on it, so you don't have to worry about someone who can read it changing the perms so that somebody else can read it.

WARNING!

What you *do* have to worry about is that somebody who can read the file will make a copy of it, and then that person will be the owner (of the copy).  If it's not protected correctly, then your 10 people who shouldn't see the file can look at the copy.

Also, if the 9990 people are allowed to *write* in the directory containing the file, then one of them could copy the file in the directory, delete the original file, and then rename the copy.  This is another way that the ownership of the file (and therefore the permissions) could get changed.

If you only need to allow reading of the file to group A, these problems are pretty easy to get around, but if group A needs to write to the file also, then it's harder to set good permissions. If you set the permissions like this:

drwx---r-x    root   groupb   /home/directory/
-rwx---r-x    root   groupb   /home/directory/myfile

then everybody except people in group B will be able to read the file, but only root will be able to change it, change the permissions, make a new copy in that directory, etc.
0
 
LVL 1

Author Comment

by:alanpong
ID: 2009243
Thank you.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

A metadevice consists of one or more devices (slices). It can be expanded by adding slices. Then, it can be grown to fill a larger space while the file system is in use. However, not all UNIX file systems (UFS) can be expanded this way. The conca…
Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now