Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Directory Permissions for 2 users on 1 directory
Operating Systems Solaris Directory Permissions for 2 users on 1 directory Post 302598932 by admin_xor on Wednesday 15th of February 2012 06:39:41 PM
Old 02-15-2012
Making the user uftp1 a member of dba or oraprod a member of ftp may lead to security hole as either way will open the door for the uftp1 or the oraprod user to have access to the resources which ftp or dba is the owner of.

Creating a separate group for uftp1 and oraprod is a better approach.

But the best approach in terms of security in this scenario would be to make use of ACL and SGID bit. I will explain the approach here:

1. Suppose /u01 is the directory in question. Make oraprod and dba are the owner of the directory:
Code:
chown oraprod:dba /u01

2. Give 770 permission on /u01:
Code:
chmod 770 /u01

3. Turn on SGID bit on /u01 so that when the uftp1 user creates any file in the directory the group owner of the directory (dba) will have the ownership of the newly created file by default rather than ftp. This will help the oraprod user to have permission on the file as it's a member of the group.
Code:
chmod g+s /u01

4. Now you have to set ACL for the user uftp1 on /u01. The syntax varies depending on whether it's a ZFS or UFS filesystem.

For ZFS:
Code:
chmod A+user:uftp1:add_file/write_data/read_data/execute:allow /u01
ls -ldv /u01 ## to verify the ACL

For UFS:
Code:
setfacl -m u:uftp1:rwx /u01
getfacl /u01 ## to verify the ACL

That's it and you are all setup.
This User Gave Thanks to admin_xor For This Post:
orange47
 

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

determine owner directory permissions from within the directory

From within a directory, how do I determine whether I have write permission for it. test -w pwd ; echo ? This doesn't work as it returns false, even though I have write permission. (4 Replies)
Discussion started by: Sniper Pixie
4 Replies

2. UNIX for Dummies Questions & Answers

permissions of a directory

Read and write bits make sense for a directory but what about the execute permission bit What does that imply?Is it just a filler? Saurabh (3 Replies)
Discussion started by: smehra
3 Replies

3. UNIX for Advanced & Expert Users

Home Directory Permissions

My users home directory located in a RHEL 5.0 nfs server. Client is ubuntu 8.1 using NIS for authntication anf NFS for automounting home Directory on the client side. I set 700 to the users home directory. My problem here is some of the users change the mode, which result in leak of... (2 Replies)
Discussion started by: a_artha
2 Replies

4. UNIX for Dummies Questions & Answers

unix directory permissions

Hi All I am using cygwin and if i type ls -l it is giving like drwxr-xr-x+ for directories. My question is what is the meaning of '+' sign at the end? its not giving that '+' sign for files. Thank you (1 Reply)
Discussion started by: Usha Shastri
1 Replies

5. UNIX for Dummies Questions & Answers

Directory Permissions

Hi all. Only one of the following makes any kind of sense as a possible permission field for a UNIX file. Which one? --w------- ----rwxrwx -r-------- --rwx----- ----r----- I think it is no. 3. I dont think it would be 2, because why would you want to give groups and... (1 Reply)
Discussion started by: hawaiifiver
1 Replies

6. UNIX for Dummies Questions & Answers

control permissions for Active Directory users on AIX

Hello, I've configured an user authentication against Active Directory (Windows Server 2008 R2) on AIX V6 with LDAP. It works fine. And here's my problem: How can I control ldap user permissions on the local AIX machine? E.g. an AD user should be able to write all files of local sys... (1 Reply)
Discussion started by: xia777
1 Replies

7. Shell Programming and Scripting

Checking directory permissions on UNIX directory

Hi, How do i check if I have read/write/execute rights on a UNIX directory? What I'm doing is checking read access on the files but i also want to check if user has rights on the direcory in whcih these files are present. if then...... And I check if the directory exists by using... (6 Replies)
Discussion started by: chetancrsp18
6 Replies

8. UNIX for Dummies Questions & Answers

Directory permissions

i have an application that writes to a directory. let's call the directory: /var/app/ the permissions of this directory is: drwxrwxr-x Now the files that the application creates in this directory usually dont have read permissions for others. i know there's something called... (3 Replies)
Discussion started by: SkySmart
3 Replies

9. UNIX for Dummies Questions & Answers

Directory (and sub-directory) permissions...

Hi, I had a newbie question on giving permissions to directories and subdirectories. I am one of the users in a group. The top level directory (say directory 'X' - owned by someone else) has the following permissions: drwxrwxrwx It also has a subdirectory, say 'Y', (which in turn has... (5 Replies)
Discussion started by: pc2001
5 Replies

10. UNIX for Advanced & Expert Users

Permissions on a directory in /home for all users

Hi, I have created a shared directory on /home, where all users on a certain group have read, write and execute permissions. I did this using chmod -R g+rwx /home/shared/ The problem is, when a particular user creates a directory within /home/shared, other users are not able to write to... (8 Replies)
Discussion started by: lost.identity
8 Replies

LEARN ABOUT FREEBSD

ftpchroot

FTPCHROOT(5)						      BSD File Formats Manual						      FTPCHROOT(5)

NAME

     ftpchroot -- list users and groups subject to FTP access restrictions

DESCRIPTION

     The file ftpchroot is read by ftpd(8) at the beginning of an FTP session, after having authenticated the user.  Each line in ftpchroot corre-
     sponds to a user or group.  If a line in ftpchroot matches the current user or a group he is a member of, access restrictions will be applied
     to this session by changing its root directory with chroot(2) to that specified on the line or to the user's login directory.

     The order of records in ftpchroot is important because the first match will be used.  Fields on each line are separated by tabs or spaces.

     The first field specifies a user or group name.  If it is prefixed by an ``at'' sign, '@', it specifies a group name; the line will match
     each user who is a member of this group.  As a special case, a single '@' in this field will match any user.  A username is specified other-
     wise.

     The optional second field describes the directory for the user or each member of the group to be locked up in using chroot(2).  Be it omit-
     ted, the user's login directory will be used.  If it is not an absolute pathname, then it will be relative to the user's login directory.	If
     it contains the /./ separator, ftpd(8) will treat its left-hand side as the name of the directory to do chroot(2) to, and its right-hand side
     to change the current directory to afterwards.

FILES

     /etc/ftpchroot

EXAMPLES

     These lines in ftpchroot will lock up the user ``webuser'' and each member of the group ``hostee'' in their respective login directories:

	   webuser
	   @hostee

     And this line will tell ftpd(8) to lock up the user ``joe'' in /var/spool/ftp and then to change the current directory to /joe, which is rel-
     ative to the session's new root:

	   joe	/var/spool/ftp/./joe

     And finally the following line will lock up every user connecting through FTP in his respective ~/public_html, thus lowering possible impact
     on the system from intrinsic insecurity of FTP:

	   @	public_html

SEE ALSO

     chroot(2), group(5), passwd(5), ftpd(8)

BSD
								 January 26, 2003							       BSD
All times are GMT -4. The time now is 12:52 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy