|
|
Sponsored Content
07-13-2001
Administrator
Andy asks:
Yes, one way to do it is to write a small script (command) that reads the current directory; gets the owner and group information of a file that is an argument to the script. The script may have to be set SUID with ownership root. This is not very secure, but you asked 'is it possible?' The more complex the security requirements, the more involved.
You might also do it any other number of ways, using ACL front ends, perl scripts, a simple C program, etc.
The easiest way to do it, if you are worried about security is to have the administrator with root privs do it
Or, you can find some complex ACL program; but based on what you have offered as your requirements, this still seems to be a lot of trouble for something quite basic.
If I had a system that had a user or user process creating files I would not want the scripts to have any ability to write or give ownership to the file to another user unless the user was in the same group. If the issue was with many files, I would look at creating a process to do this.
However, without understanding the purpose of the server, the nature of the processes, the relationship of users to the processes, the production environment and security implications and risk; it is not reasonable to give a simplistic answer.
Everything is possible in UNIX and there is no one way to do anything
Quote:
is it possible to have a user x create a file, which will have the ownership and group rights of the directory it is created in ?
You might also do it any other number of ways, using ACL front ends, perl scripts, a simple C program, etc.
The easiest way to do it, if you are worried about security is to have the administrator with root privs do it
Or, you can find some complex ACL program; but based on what you have offered as your requirements, this still seems to be a lot of trouble for something quite basic.
If I had a system that had a user or user process creating files I would not want the scripts to have any ability to write or give ownership to the file to another user unless the user was in the same group. If the issue was with many files, I would look at creating a process to do this.
However, without understanding the purpose of the server, the nature of the processes, the relationship of users to the processes, the production environment and security implications and risk; it is not reasonable to give a simplistic answer.
Everything is possible in UNIX and there is no one way to do anything
|
|
10 More Discussions You Might Find Interesting
1. Programming
I need to compile a file,but 'make' does
not work.please tell me how to use it or
need which tools? (3 Replies)
Discussion started by: dsun5
3 Replies
2. Shell Programming and Scripting
I wonder how I shall read the result below, especially 'what'
shown below.
The result was shown when I entered 'w'.
E.g what is TOP? What is gosh ( what does selmgr mean?)?
login@ idle JCPU PCPU what
6:15am 7:04 39 39 TOP
6:34am 6:45 45 45 TOP
6:41am ... (1 Reply)
Discussion started by: Aelgen
1 Replies
3. UNIX for Dummies Questions & Answers
Hi, guys, I have a big problem.
I've got a sun solaris 4.1.4 workstation, and the /var/adm/message file will add one row every few seconds. It becomes a large file in a short time.
I wander if there are some mistakes configuring the workstation.
the /var/adm/message is as follow:
... (3 Replies)
Discussion started by: cloudsmell
3 Replies
4. UNIX for Dummies Questions & Answers
echo 'it's friday'
why appear the > (3 Replies)
Discussion started by: yls177
3 Replies
5. UNIX for Advanced & Expert Users
Somehow someone created a file named '-ov' in the root directory.
Given the name, the how was probably the result of some cpio command they bozo'ed.
I've tried a number of different ways to get rid of it using * and ? wildcards, '\' escape patterns etc.. They all fail with " illegal option --... (3 Replies)
Discussion started by: GSalisbury
3 Replies
6. Shell Programming and Scripting
Hopefully this doesn't come off as too much of a "newbie" question or a flamebait. But I have recently begun working with a Sun Solaris box after having spent the past five years working with RedHat. From what i can tell, thing look fairly similar and the 'man' command is some help. But I've... (7 Replies)
Discussion started by: deckard
7 Replies
7. Linux
Hi,
while setting access control list I am getting error "Operation NOt Supported"
Example :user A wants full access on test directory /home/user B/test, I dont want to add in secondary group bcz group has read permission, (1 Reply)
Discussion started by: manoj.solaris
1 Replies
8. AIX
Hi,
I want to know how to set acl in aix via smitty and shell prompt, wheather we needs to install additional packages. (0 Replies)
Discussion started by: manoj.solaris
0 Replies
9. UNIX for Dummies Questions & Answers
Folks;
How can i setup ACL in Apache so i can give a group of users (defined by their emails (all users under *@red.com) access to a web page? (10 Replies)
Discussion started by: moe2266
10 Replies
10. UNIX for Beginners Questions & Answers
Folks,
Solaris 10 issue
When I add a new directory to a path, I only get the "group@" line in the ACL
The parent directory ACL is
drwxrws---+ 12 root teama 12 Jul 18 10:31 .
owner@:rwxp-DaARWc---:------:allow
group@:rwxp-DaARWc--s:fd----:allow
... (0 Replies)
Discussion started by: wilberforce
0 Replies
LEARN ABOUT HPUX
chown
chown(2) System Calls Manual chown(2) NAME
chown(), fchown(), lchown() - change owner and group of a file SYNOPSIS
DESCRIPTION
The system call changes the user and group ownership of a file. path points to the path name of a file. sets the owner ID and group ID of the file to the numeric values contained in owner and group respectively. A value of or can be specified in owner or group to leave unchanged the file's owner ID or group ID, respectively. Note that owner and group should be less than (see limits(5)). The group ownership of a file can be changed to any group in the current process's access list or to the real or effective group ID of the current process. If privilege groups are supported and the user has the privilege, the file can be given to any group. If the path given to contains a symbolic link as the last element, this link is traversed and path name resolution continues. changes the owner and group of the symbolic link's target, rather than the owner and group of the link. The system call functions exactly like except that it operates on a file descriptor instead of a path name. fildes is a file descriptor. The system call sets the owner ID and group ID of the named file just as does, except in the case where the named file is a symbolic link. In this case, changes the owner and group of the symbolic link file itself. Access Control Lists - HFS File Systems Only A user can allow or deny specific individuals and groups access to a file by using the file's access control list (see acl(5)). When using in conjunction with HFS ACLs, if the new owner and/or group does not have an optional ACL entry corresponding to and/or in the file's access control list, the file's access permission bits remain unchanged. However, if the new owner and/or group is already designated by an optional ACL entry of and/or %.group, sets the file's permission bits (and the three basic ACL entries) to the permissions contained in that entry. Access Control Lists - JFS File Systems Only A user can allow or deny specific individuals and groups access to a file by using the file's access control list (see aclv(5)). When using in conjunction with JFS ACLs, if the new owner and/or group of a file have optional ACL entries corresponding to and/or in the file's access control list, those entries remain in the ACL but no longer have any effect, being superseded by the file's and/or entries. Security Restrictions Only processes with an effective user ID equal to the file owner or a user with the privilege can change the ownership of a file. If priv- ilege groups are supported, the owner of a file can change the ownership only as a member of a privilege group allowing as set up by the command (see setprivgrp(1M)). All users get the privilege by default. When a process changes the ownership or group of a file, the file system may clear the set-user-ID and set-group-ID bits. See privileges(5) for more information about privileged access on systems that support fine-grained privileges. RETURN VALUE
and return the following values: Successful completion. Failure. The owner and group of the file remain unchanged. is set to indicate the error. ERRORS
If or fails, is set to one of the following values: Search permission is denied on a component of the path prefix. path points outside the allocated address space of the process. The reliable detection of this error is implementation dependent. Too many symbolic links were encountered in translating path. A component of path exceeds bytes while is in effect, or path exceeds bytes. The file named by path does not exist. A component of the path prefix is not a directory. Either owner or group is greater than or equal to or is an illegal negative value. The effective user ID is not a user with privilege and one or more of the following conditions exist: o The effective user ID does not match the owner of the file. o When changing the owner of the file, the owner of the file is not a member of a privilege group allowing the priv- ilege. o When changing the group of the file, the owner of the file is not a member of a privilege group allowing the priv- ilege and the group number is not in the current process's access list. The named file resides on a read-only file system. If fails, is set to one of the following values: fildes is not a valid file descriptor. Either owner or group is greater than or equal to or is an illegal negative value. The effective user ID is not a user having privilege and one or more of the following conditions exist: o The effective user ID does not match the owner of the file. o When changing the owner of the file, the owner of the file is not a member of a privilege group allowing the priv- ilege. o When changing the group of the file, the owner of the file is not a member of a privilege group allowing the priv- ilege and the group number is not in the current process's access list. The named file resides on a read-only file system. AUTHOR
was developed by AT&T. was developed by the University of California, Berkeley. SEE ALSO
chown(1), setprivgrp(1M), chmod(2), setacl(2), acl(5), aclv(5), limits(5), privileges(5). STANDARDS CONFORMANCE
chown(2)