I tried to use ACLs to restrict user privileges, and found that a user that is explicitly denied write perms in a file's ACLs will not be able to write to a file even if the group that the user belongs to has write permissions on that file.
I created a user test having group test, and created a file named testfile that has write permissions for the group test but is owned by root.
Code:
# id test
uid=1000462(test) gid=65546(test)
# ls -l testfile
-rw-rw-r-- 1 root test 10 Oct 10 10:17 testfile
OS: Solaris 8 -
I set the ACLs on the file to allow the user test to only read the file. Mask set to rwx.
Code:
# setfacl -m u:test:r--,m:rwx testfile
# ls -l testfile
-rw-rw-r--+ 1 root test 10 Oct 10 10:17 testfile
# getfacl testfile
# file: testfile
# owner: root
# group: test
user::rw-
user:test:r-- #effective:r--
group::rw- #effective:rw-
mask:rwx
other:r--
Next, I tried to write to the file as user test.
Code:
$ id
uid=1000462(test) gid=65546(test)
$ ls -l testfile
-rw-rw-r--+ 1 root test 10 Oct 10 10:17 testfile
$ cat >> testfile
ksh: testfile: cannot create
I also tried this on HP-UX, vxfs:
Code:
# setacl -m u:test:r-- testfile
# ls -l testfile
-rw-rw-r--+ 1 root users 9 Oct 10 07:58 testfile
# getacl testfile
# file: testfile
# owner: root
# group: users
user::rw-
user:test:r--
group::rw-
class:rw-
other:r--
When I su-ed to user test and tried to write to the file,
Code:
$ id
uid=111(test) gid=20(users)
$ cat >> testfile
sh: testfile: Cannot create the specified file.
If your filesystem supports ACLs you can probably use them to restrict users from writing to a file even if they are part of a group that has write permissions on the file.
More UNIX and Linux Forum Topics You Might Find Helpful
Powered by 
10-09-2006
Hybrid Mode
