Solved

Newbie question : Protection scheme in UNIX

Posted on 1998-08-15
5
1,100 Views
Last Modified: 2010-04-21
Hello,
Suppose there are 10000 users and I want to allow 9990 of these
users to be able to access one file. The remain 10 are not allowed.
I can imagine two possible solutions :
Solution 1 :
1) assign the 9990 people into the group, say, groupa
2) assign the remain 10 people into another group , say groupb
3) change the group ownership of the file to groupa so that
only groupa's people can read/write/excute it.

However, i worry anyone in groupa will change the mode of the
file by some program like chmod o+rwx filename or some other
 program written by someone , so that groupb's people can
 read the file.

Solution 2 :
1) assign the 10 people into another group , say groupb
2) change the group ownership of the file to groupb
3)  chmod o+rx
chmod g-rx filename
 so that the groupb's people cannot read it but other group can
read it.

Which one work better ? And another more effective scheme?
Many thanks.
rgds.
alanpong@hkstar.com
0
Comment
Question by:alanpong
  • 2
  • 2
5 Comments
 
LVL 5

Expert Comment

by:julio011597
ID: 2009239
You can use solution 1, but give group A read/execute rights only.
Whoever has got write rights can modify a file, including its permissions.

Regards, julio
0
 
LVL 1

Author Comment

by:alanpong
ID: 2009240
-r-xr-x---     root   groupa    1 Aug 16 00:32  myfile

Just imagination, i've never tried to change the ownship of the file.
Do you mean if the owner is 'root' (or someone else)  and the attributes of the file is like above, no one else  in groupa can use chmod?

Thanks
rgds.
alan
0
 
LVL 5

Expert Comment

by:julio011597
ID: 2009241
AFAIK, so it is.
See 'man chmod' for more details.

-julio
0
 
LVL 3

Accepted Solution

by:
dhm earned 50 total points
ID: 2009242
Both solutions would work, but your solution 2 is easier, since you only have to add 10 people to the group that can't read the file, instead of 9990 to the group that can.  Only the owner of the file (or root) can change the permissions on it, so you don't have to worry about someone who can read it changing the perms so that somebody else can read it.

WARNING!

What you *do* have to worry about is that somebody who can read the file will make a copy of it, and then that person will be the owner (of the copy).  If it's not protected correctly, then your 10 people who shouldn't see the file can look at the copy.

Also, if the 9990 people are allowed to *write* in the directory containing the file, then one of them could copy the file in the directory, delete the original file, and then rename the copy.  This is another way that the ownership of the file (and therefore the permissions) could get changed.

If you only need to allow reading of the file to group A, these problems are pretty easy to get around, but if group A needs to write to the file also, then it's harder to set good permissions. If you set the permissions like this:

drwx---r-x    root   groupb   /home/directory/
-rwx---r-x    root   groupb   /home/directory/myfile

then everybody except people in group B will be able to read the file, but only root will be able to change it, change the permissions, make a new copy in that directory, etc.
0
 
LVL 1

Author Comment

by:alanpong
ID: 2009243
Thank you.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you do backups in the Solaris Operating System, the file system must be inactive. Otherwise, the output may be inconsistent. A file system is inactive when it's unmounted or it's write-locked by the operating system. Although the fssnap utility…
Introduction Regular patching is part of a system administrator's tasks. However, many patches require that the system be in single-user mode before they can be installed. A cluster patch in particular can take quite a while to apply if the machine…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now