?
Solved

Newbie question : Protection scheme in UNIX

Posted on 1998-08-15
5
Medium Priority
?
1,108 Views
Last Modified: 2010-04-21
Hello,
Suppose there are 10000 users and I want to allow 9990 of these
users to be able to access one file. The remain 10 are not allowed.
I can imagine two possible solutions :
Solution 1 :
1) assign the 9990 people into the group, say, groupa
2) assign the remain 10 people into another group , say groupb
3) change the group ownership of the file to groupa so that
only groupa's people can read/write/excute it.

However, i worry anyone in groupa will change the mode of the
file by some program like chmod o+rwx filename or some other
 program written by someone , so that groupb's people can
 read the file.

Solution 2 :
1) assign the 10 people into another group , say groupb
2) change the group ownership of the file to groupb
3)  chmod o+rx
chmod g-rx filename
 so that the groupb's people cannot read it but other group can
read it.

Which one work better ? And another more effective scheme?
Many thanks.
rgds.
alanpong@hkstar.com
0
Comment
Question by:alanpong
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 5

Expert Comment

by:julio011597
ID: 2009239
You can use solution 1, but give group A read/execute rights only.
Whoever has got write rights can modify a file, including its permissions.

Regards, julio
0
 
LVL 1

Author Comment

by:alanpong
ID: 2009240
-r-xr-x---     root   groupa    1 Aug 16 00:32  myfile

Just imagination, i've never tried to change the ownship of the file.
Do you mean if the owner is 'root' (or someone else)  and the attributes of the file is like above, no one else  in groupa can use chmod?

Thanks
rgds.
alan
0
 
LVL 5

Expert Comment

by:julio011597
ID: 2009241
AFAIK, so it is.
See 'man chmod' for more details.

-julio
0
 
LVL 3

Accepted Solution

by:
dhm earned 200 total points
ID: 2009242
Both solutions would work, but your solution 2 is easier, since you only have to add 10 people to the group that can't read the file, instead of 9990 to the group that can.  Only the owner of the file (or root) can change the permissions on it, so you don't have to worry about someone who can read it changing the perms so that somebody else can read it.

WARNING!

What you *do* have to worry about is that somebody who can read the file will make a copy of it, and then that person will be the owner (of the copy).  If it's not protected correctly, then your 10 people who shouldn't see the file can look at the copy.

Also, if the 9990 people are allowed to *write* in the directory containing the file, then one of them could copy the file in the directory, delete the original file, and then rename the copy.  This is another way that the ownership of the file (and therefore the permissions) could get changed.

If you only need to allow reading of the file to group A, these problems are pretty easy to get around, but if group A needs to write to the file also, then it's harder to set good permissions. If you set the permissions like this:

drwx---r-x    root   groupb   /home/directory/
-rwx---r-x    root   groupb   /home/directory/myfile

then everybody except people in group B will be able to read the file, but only root will be able to change it, change the permissions, make a new copy in that directory, etc.
0
 
LVL 1

Author Comment

by:alanpong
ID: 2009243
Thank you.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Installing FreeBSD… FreeBSD is a darling of an operating system. The stability and usability make it a clear choice for servers and desktops (for the cunning). Savvy?  The Ports collection makes available every popular FOSS application and packag…
Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question