Difference between revisions of "Permissions"
(Created page with "=== Basic perms Depending on scripts/processes being run, some only need to read files (read-only), but some need read/write access, to the alternate account Limitations/Is...") |
|||
| Line 10: | Line 10: | ||
1. Add users to proper group | 1. Add users to proper group | ||
| − | # usermod -aG lisapp nrpe OR if you have many users | + | # usermod -aG lisapp nrpe |
| + | OR if you have many users | ||
# for U in nrpe snmp cacti applog ; do usermod -aG lisapp $U ; done | # for U in nrpe snmp cacti applog ; do usermod -aG lisapp $U ; done | ||
2. Set directory perms so that new files all belong to the same group | 2. Set directory perms so that new files all belong to the same group | ||
| − | read-only | + | read-only |
# find /home/lisapp -type d -exec chmod g=rxs '{}' ; | # find /home/lisapp -type d -exec chmod g=rxs '{}' ; | ||
| − | read/write | + | read/write |
# find /home/lisapp -type d -exec chmod g=rwxs '{}' ; | # find /home/lisapp -type d -exec chmod g=rwxs '{}' ; | ||
| Line 31: | Line 32: | ||
# usermod -aG buildnss scmadmins | # usermod -aG buildnss scmadmins | ||
| − | OR if you have many users | + | OR if you have many users |
# for U in buildnss buildfalcon ; do usermod -aG $U scmadmins ; done | # for U in buildnss buildfalcon ; do usermod -aG $U scmadmins ; done | ||
| Line 39: | Line 40: | ||
read-only | read-only | ||
# find /home/buildnss -type d -exec chmod g=rxs '{}' ; | # find /home/buildnss -type d -exec chmod g=rxs '{}' ; | ||
| − | read/write | + | read/write |
# find /home/buildnss -type d -exec chmod g=rwxs '{}' ; | # find /home/buildnss -type d -exec chmod g=rwxs '{}' ; | ||
| − | OR if you have many users | + | OR if you have many users |
# for U in buildnss buildfalcon ; do find /home/$U -type d -exec chmod g=rxs '{}' ; ; done | # for U in buildnss buildfalcon ; do find /home/$U -type d -exec chmod g=rxs '{}' ; ; done | ||
3. Optionally set write access, for read/write option | 3. Optionally set write access, for read/write option | ||
| − | # find /home/buildnss -type f -exec chmod g+w '{}' ; OR if you have many users | + | # find /home/buildnss -type f -exec chmod g+w '{}' ; |
| + | OR if you have many users | ||
# for U in buildnss buildfalcon ; do find /home/$U -type f -exec chmod g+w '{}' ; ; done | # for U in buildnss buildfalcon ; do find /home/$U -type f -exec chmod g+w '{}' ; ; done | ||
Revision as of 08:57, 11 May 2020
=== Basic perms
Depending on scripts/processes being run, some only need to read files (read-only), but some need read/write access, to the alternate account
Limitations/Issues
- additional app/process users will all be set to either all read/write access or all read-only access, if both are needed, ACL's must be used (like in some samba env's) * umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)
- Multiple users/processes needing access to a single account*
1. Add users to proper group
# usermod -aG lisapp nrpe OR if you have many users # for U in nrpe snmp cacti applog ; do usermod -aG lisapp $U ; done
2. Set directory perms so that new files all belong to the same group
read-only
# find /home/lisapp -type d -exec chmod g=rxs '{}' ;
read/write
# find /home/lisapp -type d -exec chmod g=rwxs '{}' ;
3. Optionally set write access, for read/write option
# find /home/lisapp -type f -exec chmod g+w '{}' ;
- Single user/process needing access to a multiple accounts*
1. Add users to proper group
# usermod -aG buildnss scmadmins OR if you have many users # for U in buildnss buildfalcon ; do usermod -aG $U scmadmins ; done
2. Set directory perms so that new files all belong to the same group
read-only
# find /home/buildnss -type d -exec chmod g=rxs '{}' ;
read/write
# find /home/buildnss -type d -exec chmod g=rwxs '{}' ;
OR if you have many users
# for U in buildnss buildfalcon ; do find /home/$U -type d -exec chmod g=rxs '{}' ; ; done
3. Optionally set write access, for read/write option
# find /home/buildnss -type f -exec chmod g+w '{}' ;
OR if you have many users
# for U in buildnss buildfalcon ; do find /home/$U -type f -exec chmod g+w '{}' ; ; done
=== ACL's
Limitations/Issues
- umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)
For a directory tree;
Read/write users;
# setfacl -Rm u:joe:rw /home/CSP1/Data # setfacl -dRm u:joe:rw /home/CSP1/Data
Read-Only users;
# setfacl -Rm u:joe:r /home/CSP1/Data # setfacl -dRm u:joe:r /home/CSP1/Data
For a file;
# setfacl -m u:joe:rw /home/CSP1/Data/Weekly_Data_Report-20100704.xml
Reference
ls output
# ls -l
getfacl output
# getfacl
=== chmod details/usage
The format for chmod's symbolic mode used in this doc is [ugoa...][[+-=][perms...]...]
The letters 'ugoa' control which user/group/etc the access to the file or directory will be changed 'u' (user) permissions for the user who owns the file/directory (u) 'g' (group) permissions for other users who are members of the group (g) 'o' (other) other users that are not in the group permissions (o) (aka world readable) 'a' (all) all of the above The '+-=' operators control how the permissions are set on the file or directory '+' (add) causes the selected permissions to be added to the existing permissions '-' (remove) causes them to be removed '=' (set) causes them to be the only permissions
The letters 'rwxXst' select the new permissions for the affected users: 'rwx' (r) read, (w) write, (x) execute (or search/access for directories) 'X' execute/search only if the file is a directory or already has execute permission for some user 's' set user or group ID on execution 't' restricted deletion flag or sticky bit
