11-26-2008
Quote:
Originally Posted by
jim mcnamara
Deny execute access to users in group DeptA on /filesystem1, grant execute access to DeptB on /filesystem1.
Have no world (or other) access on /filesystem1. Put all of DeptA into a single group, put all of DeptB into a separate group.
If your filesystems support acl's you can block access using acl's on a per user basis if you want. You only need to block access department-wide at one point -one directory - then all subsequent directories become unreachable. See man chacl
Jim,
Thanks for the reply.
However, is this giving rise to the dynamic permissions required? IE userA starts a session while physically sitting in deptA (which the software knows and passes to the .sh file) and can see deptA filesystem. Then same userA walks down the corridor to deptB and starts a session, and this time shouldn't be able to see deptA filesystem.
Is chroot a possible solution to this? Only just found it, so just looking over its potential now.
Thanks,
Steve
9 More Discussions You Might Find Interesting
1. Shell Programming and Scripting
Hi there.
How do I make the DB connection see the parameter variables passed to the unix script ? The code snippet below isn't working properly.
sqlplus << EOF
user1@db1/pass1
BEGIN
PACKAGE1.perform_updates($1,$2,$3);
END;
EOF
Thanks in advance,
Abrahao. (2 Replies)
Discussion started by: 435 Gavea
2 Replies
2. Solaris
I am not able to login in gnome session and java session in Sun solaris 9& 10 respectively through xmanager as a nis user, I am able to login in common desktop , but gnome session its not allowing , when I have given login credentials, its coming back to login screen, what shoul I do to allow nis... (0 Replies)
Discussion started by: durgaprasadr13
0 Replies
3. Shell Programming and Scripting
Hi
I want to do something that might sound strange.
I have a code that in written in C and is executed at startup (it's a custom process). It occasionally calls some bash scripts.
The process doesn't have any terminal associated with it.
One thing I don't know how to do is to start a... (5 Replies)
Discussion started by: alirezan
5 Replies
4. HP-UX
Our network administrators implemented some sort of check to kill idle sessions and now burden is on us to run some sort of keep alive. Client based keep alive doesn't do a very good job. I have same issue with ssh. Does solution 2 provided above apply for ssh sessions also? (1 Reply)
Discussion started by: yoda9691
1 Replies
5. Shell Programming and Scripting
Besides 'who am i' and 'tty' what commands could be used to determine if a session is interactive as compared to a web process or cron process. Any command should work with the common unix variants. (3 Replies)
Discussion started by: jgt
3 Replies
6. Solaris
what is the difference between desktop session and console session in solaris
as i am wondering we use option -text for the former and -nowin for the later (1 Reply)
Discussion started by: kishanreddy
1 Replies
7. Solaris
Hi,
i got the following error when i tried to access the cygwin x server from a windows XP PC.
"xdmcp fatal error session failed session 23 failed for display"
Alternatively, when i tried to access the same Cygwin X Server from another windows XP PC which is on a different LAN... (3 Replies)
Discussion started by: HarishKumarM
3 Replies
8. Linux
Hi Guys,
Is there a way to recover a lost session? I was working in a server and that lost the connection, now, I have a new session but all the previous processes that I was running, like scripts, etc, are still running.
Is there a way to bring them to my session?
Best regards,
Marco. (4 Replies)
Discussion started by: ocramas
4 Replies
9. Shell Programming and Scripting
I have below directories. All directories create as per some some logging software by today so all directories current time is today date.
Direct 2013-08-12 23123
Direct 2013-08-13 24121
Direct 2013-08-14 34513
Direct 2013-08-31 15435
...........
Direct 2013-09-12 53145
Direct... (5 Replies)
Discussion started by: learnbash
5 Replies
LEARN ABOUT HPUX
getaccess
getaccess(1) General Commands Manual getaccess(1)
NAME
getaccess - list access rights to file(s)
SYNOPSIS
user] user] group[,group]...] file ...
file ...
DESCRIPTION
lists for the specified files the effective access rights of the caller (that is, for their effective user ID, effective group ID, and sup-
plementary groups list). By default, the command prints a symbolic representation of the user's access rights to the named file: or for
read/no read, or for write/no write, and or for execute/no execute (for directories, search/no search), followed by the file name.
Options
recognizes the following options and command-line arguments:
List access for the given user instead of the caller.
A user can be a known user name, a valid ID number, or @, representing the file's owner ID. If information about
more than one file is requested, the value of @ can differ for each.
This option sets the user ID only. The access check is made with the caller's effective group ID and supplementary
group IDs unless is also specified.
List access for the given group(s) instead of the caller's effective group
ID and supplementary groups list. A group can be a known group name, a valid ID number, or @, representing the
file's group ID. If information about more than one file is requested, the value of @ can differ for each.
List access using the caller's real user
ID, group ID, and supplementary groups list, instead of effective ID values.
List access rights numerically
(octal digits instead of for each file requested. The bit values and are defined in the file
Checking access using access control lists is described in acl(5) and aclv(5).
In addition, the write bit is cleared for files on read-only file systems or shared-text programs being executed. The execute bit is not
turned off for shared-text programs open for writing because it is not possible to ascertain whether a file open for writing is a shared-
text program.
Processes with appropriate privileges have read and write access to all files. However, write access is denied for files on read-only file
systems or shared-text programs being executed. Execute access is allowed if and only if the file is not a regular file or the execute bit
is set in any of the file's ACL entries.
To use successfully, the caller must have search access in every directory component of the path name of the file. verifies search access
first by using the caller's effective IDs, regardless of the user and group IDs specified. This is distinct from the case in which the
caller can search the path but the user for whom access is being checked does not have access to the file.
Note: a file name argument of has no special meaning (such as standard input) to
EXTERNAL INFLUENCES
Environment Variables
determines the language in which messages are displayed.
If is not specified or is set to the empty string, a default of "C" (see lang(5)) is used instead of If any internationalization variable
contains an invalid setting, behaves as if all internationalization variables are set to "C". See environ(5).
RETURN VALUE
returns one of the following values:
0 Successful completion.
1 was invoked incorrectly or encountered an unknown user or group name. An appropriate message is printed to standard error.
2 A file is nonexistent or unreachable (by the caller). prints an appropriate message to standard error, continues, then returns
a value of 2 upon completion.
EXAMPLES
The following command prints the caller's access rights to file1 using the file's group ID instead of the caller's effective group ID and
groups list.
Here's how to check access by user in groups and to all files in the current directory, with access rights expressed as octal values.
Here's how to list access rights for all files under
AUTHOR
was developed by HP.
FILES
SEE ALSO
chacl(1), getacl(1), lsacl(1), setacl(1), getaccess(2), glossary(9).
getaccess(1)