Difference between revisions of "Permissions"

From The Linux Source
Jump to: navigation, search
 
(10 intermediate revisions by the same user not shown)
Line 1: Line 1:
===  Basic perms
+
===  Basic perms ===
  
Depending on scripts/processes being run, some only need to read files (read-only), but some need read/write access, to the alternate account
+
Depending on scripts/processes being run, some only need to read files (read-only), but some need read/write access, to the alternate account (or an application account)
  
 
Limitations/Issues
 
Limitations/Issues
* additional app/process users will all be set to either all read/write access or all read-only access, if both are needed, ACL's must be used (like in some samba env's)           * umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)
+
* additional app/process users will all be set to either all read/write access or all read-only access, if both are needed, ACL's must be used (like in some samba env's)
 +
* umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)
 +
 
  
*Multiple users/processes needing access to a single account*
+
Multiple users/processes needing access to a single account (or an application account)
  
 
1. Add users to proper group
 
1. Add users to proper group
Line 20: Line 22:
 
  read/write
 
  read/write
 
  # find /home/appuser -type d -exec chmod g=rwxs '{}' ;
 
  # find /home/appuser -type d -exec chmod g=rwxs '{}' ;
 
  
 
3. Optionally set write access, for read/write option
 
3. Optionally set write access, for read/write option
Line 27: Line 28:
  
  
*Single user/process needing access to a multiple accounts*
+
Single user/process needing access to a multiple accounts
  
 
1. Add users to proper group
 
1. Add users to proper group
Line 34: Line 35:
 
  OR if you have many users
 
  OR if you have many users
 
  # for U in buildapp1 buildapp2 ; do usermod -aG $U scmadmins ; done
 
  # for U in buildapp1 buildapp2 ; do usermod -aG $U scmadmins ; done
 
  
 
2. Set directory perms so that new files all belong to the same group
 
2. Set directory perms so that new files all belong to the same group
Line 52: Line 52:
  
  
 
+
===  ACL's ===
 
+
 
+
===  ACL's
+
  
 
Limitations/Issues
 
Limitations/Issues
 
* umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)
 
* umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)
 +
 +
Note: m - modify, R - recursive, d - default perms (for new files, as opposed to leaving out the -d, which would be existing files)
  
  
Line 67: Line 66:
 
  # setfacl -Rm u:joe:rw /home/Shared/Reports
 
  # setfacl -Rm u:joe:rw /home/Shared/Reports
 
  # setfacl -dRm u:joe:rw /home/Shared/Reports
 
  # setfacl -dRm u:joe:rw /home/Shared/Reports
 
  
 
Read-Only users;
 
Read-Only users;
Line 80: Line 78:
  
  
Reference
+
=== Reference ===
  
 
ls output
 
ls output
  
# ls -l
+
Note: the + means some ACL's have been set
  
 +
# ls -ld somedir
 +
  drwxrwxr-x+ 2 buildapp1 scmadmins 6 May 12 04:08 somedir
  
getfacl output
+
# ls -l somefile
 +
  -rw-rw-r--+ 1 joe scmadmins 9 May 12 04:12 somefile
  
# getfacl
 
  
 +
getfacl output
 +
 +
# getfacl somedir
 +
  # file: somedir/
 +
  # owner: lisa
 +
  # group: staff
 +
  # flags: -s-
 +
  user::rwx
 +
  user:joe:rwx              #effective:r-x
 +
  group::rwx                #effective:r-x
 +
  group:cool:r-x
 +
  mask::r-x
 +
  other::r-x
 +
  default:user::rwx
 +
  default:user:joe:rwx      #effective:r-x
 +
  default:group::r-x
 +
  default:mask::r-x
 +
  default:other::---
  
  
===  chmod details/usage
+
===  chmod details/usage ===
  
 
  The format for chmod's symbolic mode used in this doc is [ugoa...][[+-=][perms...]...]
 
  The format for chmod's symbolic mode used in this doc is [ugoa...][[+-=][perms...]...]
Line 112: Line 130:
 
  's' set user or group ID on execution
 
  's' set user or group ID on execution
 
  't' restricted deletion flag or sticky bit
 
  't' restricted deletion flag or sticky bit
 +
 +
Options (some)
 +
  -c like verbose but report only when a change is made
 +
  -R change files and directories recursively
 +
 +
 +
===  setfacl details/usage ===
 +
 +
Options (some)
 +
  -b remove all extended ACL entries
 +
  -d operations apply to the default ACL
 +
  -k remove the default ACL
 +
  -m modify the current ACL(s) of file(s)
 +
  -n don't recalculate the effective rights mask
 +
  -R recurse into subdirectories
 +
  -x remove entries from the ACL(s) of file(s)
 +
  --mask do recalculate the effective rights mask
 +
  --set  set the ACL of file(s), replacing the current ACL
 +
  --test test mode (ACLs are not modified)

Latest revision as of 03:48, 12 May 2020

Basic perms

Depending on scripts/processes being run, some only need to read files (read-only), but some need read/write access, to the alternate account (or an application account)

Limitations/Issues

  • additional app/process users will all be set to either all read/write access or all read-only access, if both are needed, ACL's must be used (like in some samba env's)
  • umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)


Multiple users/processes needing access to a single account (or an application account)

1. Add users to proper group

# usermod -aG appuser nrpe                                                                
OR if you have many users                                                                  
# for U in nrpe snmp cacti applog ; do usermod -aG appuser $U ; done                      

2. Set directory perms so that new files all belong to the same group

read-only
# find /home/appuser -type d -exec chmod g=rxs '{}' ;
read/write
# find /home/appuser -type d -exec chmod g=rwxs '{}' ;

3. Optionally set write access, for read/write option

# find /home/appuser -type f -exec chmod g+w '{}' ;


Single user/process needing access to a multiple accounts

1. Add users to proper group

# usermod -aG buildapp1 scmadmins
OR if you have many users
# for U in buildapp1 buildapp2 ; do usermod -aG $U scmadmins ; done

2. Set directory perms so that new files all belong to the same group

read-only
# find /home/buildapp1 -type d -exec chmod g=rxs '{}' ;
read/write
# find /home/buildapp1 -type d -exec chmod g=rwxs '{}' ;
OR if you have many users
# for U in buildapp1 buildapp2 ; do find /home/$U -type d -exec chmod g=rxs '{}' ; ; done

3. Optionally set write access, for read/write option

# find /home/buildapp1 -type f -exec chmod g+w '{}' ;                                     
OR if you have many users
# for U in buildapp1 buildapp2 ; do find /home/$U -type f -exec chmod g+w '{}' ; ; done


ACL's

Limitations/Issues

  • umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)

Note: m - modify, R - recursive, d - default perms (for new files, as opposed to leaving out the -d, which would be existing files)


For a directory tree;

Read/write users;

# setfacl -Rm u:joe:rw /home/Shared/Reports
# setfacl -dRm u:joe:rw /home/Shared/Reports

Read-Only users;

# setfacl -Rm u:gary:r /home/Shared/Reports
# setfacl -dRm u:gary:r /home/Shared/Reports


For a file;

# setfacl -m u:joe:rw /home/Shared/Reports/Weekly_Client_Report-20100704.xml


Reference

ls output

Note: the + means some ACL's have been set

# ls -ld somedir
  drwxrwxr-x+ 2 buildapp1 scmadmins 6 May 12 04:08 somedir
# ls -l somefile
  -rw-rw-r--+ 1 joe scmadmins 9 May 12 04:12 somefile


getfacl output

# getfacl somedir
  # file: somedir/
  # owner: lisa
  # group: staff
  # flags: -s-
  user::rwx
  user:joe:rwx               #effective:r-x
  group::rwx                 #effective:r-x
  group:cool:r-x
  mask::r-x
  other::r-x
  default:user::rwx
  default:user:joe:rwx       #effective:r-x
  default:group::r-x
  default:mask::r-x
  default:other::---


chmod details/usage

The format for chmod's symbolic mode used in this doc is [ugoa...][[+-=][perms...]...]

The letters 'ugoa' control which user/group/etc the access to the file or directory will be changed
'u' (user) permissions for the user who owns the file/directory (u)
'g' (group) permissions for other users who are members of the group (g)
'o' (other) other users that are not in the group permissions (o) (aka world readable)
'a' (all) all of the above                                                                
The '+-=' operators control how the permissions are set on the file or directory
'+' (add) causes the selected permissions to be added to the existing permissions
'-' (remove) causes them to be removed
'=' (set) causes them to be the only permissions

The  letters  'rwxXst' select the new permissions for the affected users:
'rwx' (r) read, (w) write, (x) execute (or search/access for directories)
'X' execute/search only if the file is a directory or already has execute permission for some user
's' set user or group ID on execution
't' restricted deletion flag or sticky bit

Options (some)
 -c like verbose but report only when a change is made
 -R change files and directories recursively


setfacl details/usage

Options (some)
 -b remove all extended ACL entries
 -d operations apply to the default ACL
 -k remove the default ACL
 -m modify the current ACL(s) of file(s)
 -n don't recalculate the effective rights mask
 -R recurse into subdirectories
 -x remove entries from the ACL(s) of file(s)
 --mask do recalculate the effective rights mask
 --set  set the ACL of file(s), replacing the current ACL
 --test test mode (ACLs are not modified)