|
|
Sponsored Content
Operating Systems
Linux
Red Hat
Changing system-wide for umask
Post 302854289 by leo_ultra_leo on Tuesday 17th of September 2013 05:05:44 AM
09-17-2013
Quote:
I would never want to be a user on a system you administer. Why in the world would you want to allow every user on the system to write into my personal files? Maybe it is nice that no one but me will be able to read my files; but granting everyone write access to my files is just plain wrong!
|
|
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
I have created symbolic links to several frequently used commands, for example:
"lt" is a link to "ls -ltrgo|tail". What can I do to make these links available system-wide, or at least in the directories my coworkers are in most of the time? I have copied the link to several directories, and... (6 Replies)
Discussion started by: jpprial
6 Replies
2. UNIX for Advanced & Expert Users
Does anyone know how to make system wide changes to the CDE's front panel icons? I dont know if it matters but im running Solaris 9.
THanks (1 Reply)
Discussion started by: meyersp
1 Replies
3. UNIX for Dummies Questions & Answers
Hi, I have a task to search for a file called 'Xstartup' in the whole system because there might be different versions of it which overrite eachother.
Can anyone suggest a smart command to run this search ? The machine needs to scan every single folder beginning from root.
Please help, I am... (5 Replies)
Discussion started by: DGoubine
5 Replies
4. Shell Programming and Scripting
Hello,
I am new to shell scripting and I was trying to write a script that would force a system wide password change except for admins. I am having some trouble and any help that someone could give me would be greatly appreciated. I am trying to do it by using the UID as the marker for anyone... (6 Replies)
Discussion started by: kilemark
6 Replies
5. HP-UX
Hi all,
Is there any system wide limit on number of user threads. I only find nkthread as a tunable parameter,apart from the `per process limit`. (1 Reply)
Discussion started by: Krsh
1 Replies
6. Linux
Hi,
I need to look for a config file (ldap.conf) and pick the latest modified file.
`locate` tells me there are many ldap.conf's, some in /etc, /usr, /home, etc.
Is there some way I can sort them by last modified time via bash?
I was thinking maybe I could pipe the output of `locate` to `ls... (4 Replies)
Discussion started by: Housni
4 Replies
7. UNIX for Advanced & Expert Users
Dear Fellows;
As being new to linux, i have tried to synamically load a custom library which overrides some system calls like conncet(), socket() etc.... for custom purposes.
It works well, if declaring the environment path LD_PRELOAD and execution of the application to be override... (0 Replies)
Discussion started by: mzeeshan
0 Replies
8. UNIX for Dummies Questions & Answers
We need to have many of our users all send encrypted files to a single FTP server. The problem, if I understand how encryption/decryption works (which I don't), is that each user would normally have their own private and public key. The other end needs to be able to decrypt the file(s) using a... (6 Replies)
Discussion started by: Totengraber
6 Replies
9. Shell Programming and Scripting
When looking for wherever a program or a filename appears in the system, a short scrip is "findinner" which another script calls with a long parameter list consisting of path names ending with ".sh" or ".menu". "findinner" looks like this:
# If not .savenn file, show name and result of grep.
#... (4 Replies)
Discussion started by: wbport
4 Replies
10. Programming
I have downloaded and installed a library called htslib for specific bioinformatic use but not for the system (I'm using Ubuntu 18.04). Only parts of the library is needed for my exercise to parse data in a type called VCF format (basically tab-delimited file but contains many information in... (14 Replies)
Discussion started by: yifangt
14 Replies
LEARN ABOUT DEBIAN
fs_setacl
FS_SETACL(1) AFS Command Reference FS_SETACL(1) NAME
fs_setacl - Sets the ACL for a directory SYNOPSIS
fs setacl -dir <directory>+ -acl <access list entries>+ [-clear] [-negative] [-id] [-if] [-help] fs sa -d <directory>+ -a <access list entries>+ [-c] [-n] [-id] [-if] [-h] fs seta -d <directory>+ -a <access list entries>+ [-c] [-n] [-id] [-if] [-h] DESCRIPTION
The fs setacl command adds the access control list (ACL) entries specified with the -acl argument to the ACL of each directory named by the -dir argument. If the -dir argument designates a pathname in DFS filespace (accessed via the AFS/DFS Migration Toolkit Protocol Translator), it can be a file as well as a directory. The ACL must already include an entry for "mask_obj", however. Only user and group entries are acceptable values for the -acl argument. Do not place machine entries (IP addresses) directly on an ACL; instead, make the machine entry a group member and place the group on the ACL. To completely erase the existing ACL before adding the new entries, provide the -clear flag. To add the specified entries to the "Negative rights" section of the ACL (deny rights to specified users or groups), provide the -negative flag. To display an ACL, use the fs listacl command. To copy an ACL from one directory to another, use the fs copyacl command. CAUTIONS
If the ACL already grants certain permissions to a user or group, the permissions specified with the fs setacl command replace the existing permissions, rather than being added to them. Setting negative permissions is generally unnecessary and not recommended. Simply omitting a user or group from the "Normal rights" section of the ACL is normally adequate to prevent access. In particular, note that it is futile to deny permissions that are granted to members of the system:anyuser group on the same ACL; the user needs only to issue the unlog command to receive the denied permissions. When including the -clear option, be sure to reinstate an entry for each directory's owner that includes at least the "l" (lookup) permission. Without that permission, it is impossible to resolve the "dot" (".") and "dot dot" ("..") shorthand from within the directory. (The directory's owner does implicitly have the "a" (administer) permission even on a cleared ACL, but must know to use it to add other permissions.) OPTIONS
-dir <directory>+ Names each AFS directory, or DFS directory or file, for which the set the ACL. Partial pathnames are interpreted relative to the current working directory. Specify the read/write path to each directory (or DFS file), to avoid the failure that results from attempting to change a read-only volume. By convention, the read/write path is indicated by placing a period before the cell name at the pathname's second level (for example, /afs/.abc.com). For further discussion of the concept of read/write and read-only paths through the filespace, see the fs mkmount reference page. -acl <access list entries>+ Defines a list of one or more ACL entries, each a pair that names: o A user name or group name as listed in the Protection Database. o One or more ACL permissions, indicated either by combining the individual letters or by one of the four acceptable shorthand words. in that order, separated by a space (thus every instance of this argument has two parts). The accepted AFS abbreviations and shorthand words, and the meaning of each, are as follows: a (administer) Change the entries on the ACL. d (delete) Remove files and subdirectories from the directory or move them to other directories. i (insert) Add files or subdirectories to the directory by copying, moving or creating. k (lock) Set read locks or write locks on the files in the directory. l (lookup) List the files and subdirectories in the directory, stat the directory itself, and issue the fs listacl command to examine the directory's ACL. r (read) Read the contents of files in the directory; issue the "ls -l" command to stat the elements in the directory. w (write) Modify the contents of files in the directory, and issue the UNIX chmod command to change their mode bits. A, B, C, D, E, F, G, H Have no default meaning to the AFS server processes, but are made available for applications to use in controlling access to the directory's contents in additional ways. The letters must be uppercase. all Equals all seven permissions ("rlidwka"). none No permissions. Removes the user/group from the ACL, but does not guarantee they have no permissions if they belong to groups that remain on the ACL. read Equals the "r" (read) and "l" (lookup) permissions. write Equals all permissions except "a" (administer), that is, "rlidwk". It is acceptable to mix entries that combine the individual letters with entries that use the shorthand words, but not use both types of notation within an individual pairing of user or group and permissions. Granting the "l" (lookup) and "i" (insert) permissions without granting the "w" (write) and/or "r" (read) permissions is a special case, and grants rights approrpriate for "dropbox" directories. See the DROPBOXES section for details. If setting ACLs on a pathname in DFS filespace, see the DFS documentation for the proper format and acceptable values for DFS ACL entries. -clear Removes all existing entries on each ACL before adding the entries specified with the -acl argument. -negative Places the specified ACL entries in the "Negative rights" section of each ACL, explicitly denying the rights to the user or group, even if entries on the accompanying "Normal rights" section of the ACL grant them permissions. This argument is not supported for DFS files or directories, because DFS does not implement negative ACL permissions. -id Places the ACL entries on the Initial Container ACL of each DFS directory, which are the only file system objects for which this flag is supported. -if Places the ACL entries on the Initial Object ACL of each DFS directory, which are the only file system objects for which this flag is supported. -help Prints the online help for this command. All other valid options are ignored. DROPBOXES
If an accessing user has the "l" (read) and "i" (insert) permissions on a directory, but not the "w" (write) and/or "r" (read) permissions, the user is implicitly granted the ability to write and/or read any file they create in that directory, until they close the file. This is to allow "dropbox"-style directories to exist, where users can deposit files, but cannot modify them later nor can they modify or read any files deposited in the directory by other users. Note, however, that the dropbox functionality is not perfect. The fileserver does not have knowledge of when a file is opened or closed on the client, and so the fileserver always allows an accessing user to read or write to a file in a "dropbox" directory if they own the file. While the client prevents the user from reading or modifying their deposited file later, this is not enforced on the fileserver, and so should not be relied on for security. Additionally, if "dropbox" permissions are granted to "system:anyuser", unauthenticated users may deposit files in the directory. If an unauthenticated user deposits a file in the directory, the new file will be owned by the unauthenticated user ID, and is thus potentially modifiable by anyone. In an effort to try and reduce accidentally publicizing private data, the fileserver may refuse read requests for "dropbox" files from unauthenticated users. As a result, depositing files as an unauthenticated user may arbitrarily fail if "system:anyuser" has been granted dropbox permissions. While this should be rare, it is not completely preventable, and so for this reason relying on unauthenticated users to be able to deposit files in a dropbox is NOT RECOMMENDED. EXAMPLES
The following example adds two entries to the "Normal rights" section of the current working directory's ACL: the first entry grants "r" (read) and "l" (lookup) permissions to the group pat:friends, while the other (using the "write" shorthand) gives all permissions except "a" (administer) to the user "smith". % fs setacl -dir . -acl pat:friends rl smith write % fs listacl -path . Access list for . is Normal rights: pat:friends rl smith rlidwk The following example includes the -clear flag, which removes the existing permissions (as displayed with the fs listacl command) from the current working directory's reports subdirectory and replaces them with a new set. % fs listacl -dir reports Access list for reports is Normal rights: system:authuser rl pat:friends rlid smith rlidwk pat rlidwka Negative rights: terry rl % fs setacl -clear -dir reports -acl pat all smith write system:anyuser rl % fs listacl -dir reports Access list for reports is Normal rights: system:anyuser rl smith rlidwk pat rlidwka The following example use the -dir and -acl switches because it sets the ACL for more than one directory (both the current working directory and its public subdirectory). % fs setacl -dir . public -acl pat:friends rli % fs listacl -path . public Access list for . is Normal rights: pat rlidwka pat:friends rli Access list for public is Normal rights: pat rlidwka pat:friends rli PRIVILEGE REQUIRED
The issuer must have the "a" (administer) permission on the directory's ACL, a member of the system:administrators group, or, as a special case, must be the UID owner of the top-level directory of the volume containing this directory. The last provision allows the UID owner of a volume to repair accidental ACL errors without requiring intervention by a member of system:administrators. Earlier versions of OpenAFS also extended implicit administer permission to the owner of any directory. In current versions of OpenAFS, only the owner of the top-level directory of the volume has this special permission. SEE ALSO
fs_copyacl(1), fs_listacl(1), fs_mkmount(1) COPYRIGHT
IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved. This documentation is covered by the IBM Public License Version 1.0. It was converted from HTML to POD by software written by Chas Williams and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell. OpenAFS 2012-03-26 FS_SETACL(1)