Newbie question : Protection scheme in UNIX

Posted on 1998-08-15
Last Modified: 2010-04-21
Suppose there are 10000 users and I want to allow 9990 of these
users to be able to access one file. The remain 10 are not allowed.
I can imagine two possible solutions :
Solution 1 :
1) assign the 9990 people into the group, say, groupa
2) assign the remain 10 people into another group , say groupb
3) change the group ownership of the file to groupa so that
only groupa's people can read/write/excute it.

However, i worry anyone in groupa will change the mode of the
file by some program like chmod o+rwx filename or some other
 program written by someone , so that groupb's people can
 read the file.

Solution 2 :
1) assign the 10 people into another group , say groupb
2) change the group ownership of the file to groupb
3)  chmod o+rx
chmod g-rx filename
 so that the groupb's people cannot read it but other group can
read it.

Which one work better ? And another more effective scheme?
Many thanks.
Question by:alanpong
  • 2
  • 2

Expert Comment

ID: 2009239
You can use solution 1, but give group A read/execute rights only.
Whoever has got write rights can modify a file, including its permissions.

Regards, julio

Author Comment

ID: 2009240
-r-xr-x---     root   groupa    1 Aug 16 00:32  myfile

Just imagination, i've never tried to change the ownship of the file.
Do you mean if the owner is 'root' (or someone else)  and the attributes of the file is like above, no one else  in groupa can use chmod?


Expert Comment

ID: 2009241
AFAIK, so it is.
See 'man chmod' for more details.


Accepted Solution

dhm earned 50 total points
ID: 2009242
Both solutions would work, but your solution 2 is easier, since you only have to add 10 people to the group that can't read the file, instead of 9990 to the group that can.  Only the owner of the file (or root) can change the permissions on it, so you don't have to worry about someone who can read it changing the perms so that somebody else can read it.


What you *do* have to worry about is that somebody who can read the file will make a copy of it, and then that person will be the owner (of the copy).  If it's not protected correctly, then your 10 people who shouldn't see the file can look at the copy.

Also, if the 9990 people are allowed to *write* in the directory containing the file, then one of them could copy the file in the directory, delete the original file, and then rename the copy.  This is another way that the ownership of the file (and therefore the permissions) could get changed.

If you only need to allow reading of the file to group A, these problems are pretty easy to get around, but if group A needs to write to the file also, then it's harder to set good permissions. If you set the permissions like this:

drwx---r-x    root   groupb   /home/directory/
-rwx---r-x    root   groupb   /home/directory/myfile

then everybody except people in group B will be able to read the file, but only root will be able to change it, change the permissions, make a new copy in that directory, etc.

Author Comment

ID: 2009243
Thank you.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
sort command HPUX 11 81
Problem Imaging Computers With Clonezilla 2 95
ftpcommand 2 66
Sed question 2 100
In tuning file systems on the Solaris Operating System, changing some parameters of a file system usually destroys the data on it. For instance, changing the cache segment block size in the volume of a T3 requires that you delete the existing volu…
FreeBSD on EC2 FreeBSD ( is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question