Linux

Linux Gurus,
I need to provide Read only access for particular group of users, they should have Read only access to entire server except their Home directory.
I tried using setfacl that's not helping. Can you please suggest is there any other alternate way to address this request.
Your help is highly appreciated, Thank you.

I would not allow users to have read only access to every file on the server. This would imply sweeping changes. Why not identify the collection of files they need access too and consider using the other/world field. Why didn't acl's work?

A note: there are other directories that require world write access - as an example, whatever directories the TMPDIR environment variable points to. You will break things by turning that access off for 'developers' without accomodating those kinds of requirements.

In other words - do not shoot yourself in the foot with this.

Ok: why is setfacl 'not helping'? Please explain exactly what the probelm is.

I would consider having sudo rule written to allow them to run a script that you control. That script could then look at whatever files you think are appropriate for them, but stop them having direct access or blanket access.

You don't want them reading just everything, such as the encrypted passwords, private ssh keys (might make ssh fail anyway), process maps, raw devices etc.


Robin

Thank you @blackrageous and @Jim for responding back.

@Jim, I came up with a solution for this.

They have their rwx to their home directory, I found /tmp is the only directory has universal rwx access, which I can setfacl for /tmp to Developers group. any ways they don't have write access to other files and directories other than /tmp for now.

Setfacl didn't help earlier because I thought I can run this command

Code:

setfacl -md g:gnoc:r /

this command clocking the user to login, Can we exclude his home directory at least?

Now I applied

Code:

$ setfacl -md g:gnoc:r /tmp
$ getfacl /tmp" 

user::rwx
group::rwx
other::rwx
default:user::rwx
default:group::rwx
default:group:gnoc:r--
default:mask::rwx
default:other::rwx

$

Please suggest if this looks ok, if not I need to find out other alternate way here, Thanks

To keep the forums high quality for all users, please take the time to format your posts correctly.

First of all, use Code Tags when you post any code or data samples so others can easily read your code. You can easily do this by highlighting your code and then clicking on the # in the editing menu. (You can also type code tags [code] and [/code] by hand.)



Second, avoid adding color or different fonts and font size to your posts. Selective use of color to highlight a single word or phrase can be useful at times, but using color, in general, makes the forums harder to read, especially bright colors like red.

Third, be careful when you cut-and-paste, edit any odd characters and make sure all links are working property.

Thank You.

The UNIX and Linux Forums