?
Solved

Newbie question : Protection scheme in UNIX

Posted on 1998-08-15
5
Medium Priority
?
1,114 Views
Last Modified: 2010-04-21
Hello,
Suppose there are 10000 users and I want to allow 9990 of these
users to be able to access one file. The remain 10 are not allowed.
I can imagine two possible solutions :
Solution 1 :
1) assign the 9990 people into the group, say, groupa
2) assign the remain 10 people into another group , say groupb
3) change the group ownership of the file to groupa so that
only groupa's people can read/write/excute it.

However, i worry anyone in groupa will change the mode of the
file by some program like chmod o+rwx filename or some other
 program written by someone , so that groupb's people can
 read the file.

Solution 2 :
1) assign the 10 people into another group , say groupb
2) change the group ownership of the file to groupb
3)  chmod o+rx
chmod g-rx filename
 so that the groupb's people cannot read it but other group can
read it.

Which one work better ? And another more effective scheme?
Many thanks.
rgds.
alanpong@hkstar.com
0
Comment
Question by:alanpong
  • 2
  • 2
5 Comments
 
LVL 5

Expert Comment

by:julio011597
ID: 2009239
You can use solution 1, but give group A read/execute rights only.
Whoever has got write rights can modify a file, including its permissions.

Regards, julio
0
 
LVL 1

Author Comment

by:alanpong
ID: 2009240
-r-xr-x---     root   groupa    1 Aug 16 00:32  myfile

Just imagination, i've never tried to change the ownship of the file.
Do you mean if the owner is 'root' (or someone else)  and the attributes of the file is like above, no one else  in groupa can use chmod?

Thanks
rgds.
alan
0
 
LVL 5

Expert Comment

by:julio011597
ID: 2009241
AFAIK, so it is.
See 'man chmod' for more details.

-julio
0
 
LVL 3

Accepted Solution

by:
dhm earned 200 total points
ID: 2009242
Both solutions would work, but your solution 2 is easier, since you only have to add 10 people to the group that can't read the file, instead of 9990 to the group that can.  Only the owner of the file (or root) can change the permissions on it, so you don't have to worry about someone who can read it changing the perms so that somebody else can read it.

WARNING!

What you *do* have to worry about is that somebody who can read the file will make a copy of it, and then that person will be the owner (of the copy).  If it's not protected correctly, then your 10 people who shouldn't see the file can look at the copy.

Also, if the 9990 people are allowed to *write* in the directory containing the file, then one of them could copy the file in the directory, delete the original file, and then rename the copy.  This is another way that the ownership of the file (and therefore the permissions) could get changed.

If you only need to allow reading of the file to group A, these problems are pretty easy to get around, but if group A needs to write to the file also, then it's harder to set good permissions. If you set the permissions like this:

drwx---r-x    root   groupb   /home/directory/
-rwx---r-x    root   groupb   /home/directory/myfile

then everybody except people in group B will be able to read the file, but only root will be able to change it, change the permissions, make a new copy in that directory, etc.
0
 
LVL 1

Author Comment

by:alanpong
ID: 2009243
Thank you.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello fellow BSD lovers, I've created a patch process for patching openjdk6 for BSD (FreeBSD specifically), although I tried to keep all BSD versions in mind when creating my patch. Welcome to OpenJDK6 on BSD First let me start with a little …
When you do backups in the Solaris Operating System, the file system must be inactive. Otherwise, the output may be inconsistent. A file system is inactive when it's unmounted or it's write-locked by the operating system. Although the fssnap utility…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question