I'm having some trouble understanding the group and user privileges.
So let's say I make a group.. and assign some users to the groups that I made.
How would I --
1) Allow different groups and different users to have full privileges over a file with .X extension
ex. I want user John to be able to read write execute files that end in .dat
ex. I want group Moderators to be able to read write execute files that end in .sh
2) Ban or block certain file names no matter the extension from said user.
ex. I want to ban Harry from any file that has the word MySQL in it
I'm almost certain this has something to do with chmod, but i'm not sure how I can edit permissions to a specific user/group to a file extension or file name.
I know each number in chmod corresponds to OWNER, GROUP, WORLD
But how would I specify what group or person?
I hope you understand what help I'm asking, and I appreciate all your help as always!
Thank you!
EDIT: Now that I think about it.. i would need to use a regular expression to specify what file name or extension, right?
This would change the owner of a file to everyone in a group, or specific user?
But how does this go with blocking a group or users access to a file name or file extension?
1. This is easily accomplished using chmod, like agn suggested, but not if you want to do this with more than one group or user (to accomplish this see 2.)
2. This is not possible with the standard Unix group membership mechanism. It is possible with Access Control Lists if your OS supports them, but not in a general policy sense (although it is possible to enforce a default policy on a per directory basis). You would have to use a tool to visit files with such an extension and apply the ACL. You could use something like find or perhaps use a configuration management application.
An alternative to ACL's might be to use sudo to allow groups of users to become a functional user so that they may acquire certain rights that they ordinarily would not have. You can then deny those rights to other (groups of) users .
I will list below the current script; however, I've encountered my last problem.
-I want to make the group BANNED, have no access to the files with .log extension
-I want to make the group WRITEABLE, have write access to the files with .log extension
How can I do that if a file can only be assigned to one group?
I've already assigned the group BANNED to the .log files already, so now i'm stuck with the WRITEABLE group and how I can also assign the group to .log files with BANNED group.
Here is my current script
Code:
#Input of new users
echo "Please enter new username"
echo "User 1..."
read newUser1
echo "User 2..."
read newUser2
echo "User 3..."
read newUser3
echo "User 4..."
read newUser4
echo "User 5..."
read newUser5
#Input of new groups
echo "Please enter name of group one"
read group1
echo "Please enter name of group two"
read group2
#creates 2 groups
sudo groupadd $group1
sudo groupadd $group2
#creates first 3 users and adds them to group 1
echo "Assigning users: $newUser1, $newUser2, $newUser3, to group $group1"
sudo useradd -m -s /bin/bash -G $group1 $newUser1
sudo useradd -m -s /bin/bash -G $group1 $newUser2
sudo useradd -m -s /bin/bash -G $group1 $newUser3
#creates last 2 users and adds them to group 2
echo "Assigning users: $newUser4, $newUser5, to group $group2"
sudo useradd -m -s /bin/bash -G $group2 $newUser4
sudo useradd -m -s /bin/bash -G $group2 $newUser5
#creates an extra two groups for BANNED and WRITE-able users
sudo groupadd banned
sudo groupadd writeable
#applies group privileges
sudo chgrp $group1 *.dat
sudo chmod 774 *.dat
sudo chgrp $group2 config*
sudo chmod 774 config*
sudo usermod -G banned $newUser2
sudo usermod -G banned $newUser4
sudo chgrp banned *.log
sudo chmod 704 *.log
sudo usermod -G writeable $newUser3
sudo usermod -G writeable $newUser5 #hm, how can I add the group writeable to *.log, when group banned is already assigned? And how can I give them special permissions?
#applies user privileges
chown $newUser1 *.txt
chmod 771 *.txt
---------- Post updated at 07:52 PM ---------- Previous update was at 07:18 PM ----------
Oh! One way this could be done is just chmod the .log files. Where X= whatever
Code:
chmod xx2
However this would be for everyone else, not just the other users or users in WRITEABLE group.
But you probably do not want to do this, since it is highly insecure.
But what do you need the group "banned" for? If for example you control access with a group "allowed" and disallow these rights to other then everyone who is not a member is automatically banned.
Hi Everyone,
We are encountering the following issue on AIX 5.3. When we do ls -ltr the list displays only user id and group id instead of user name and group name.
This is happening for all users except root. Whe we do ls -ltr with root user it shows perfectly fine.
When we searched... (25 Replies)
Hi,
In the following output you can see the the user "richard" is a member on the team/group "developers":
# id richard
uid=10247(richard) gid=100361(developers) groups=100361(developers),10053(testers)
but in the following details of the said group (developers), the said user... (3 Replies)
I'm looking for some suggestions to accomplish what a specific user needs, without adding them to the "sudoers" group. I have X user, that is requesting to be able to change file permissions on items owned by others and search directories where X user doesn't have access. I'm open to any... (2 Replies)
Hi, I'm new to the world of UNIX and have been asked to create a complex script (at least complex to me:confused:) for AIX UNIX to create a report of all the users on the server including server, user, UID, groups, GID, etc.
Found a script using lsuser, but the output is still lacking. 2 things I... (2 Replies)
Hi,
Anyone can help me on how to duplicate privileges and group for useroradb01 to userrootdb01. I have currently using "useroradb01" and create a newly user "userrootdb01".
I want both in the sames privileges and group. Please see the existing users list below;
drwxr-xr-x 53 useroradb01... (0 Replies)
Hey there
I have a problem and i was hoping that you guys could help me out
I want to copy a user privileges to a group and i need to copy all privileges(Recursively) every directory with all its sub directories and I tried some solution and it did not work. I used the following command:-
... (14 Replies)
folks;
I created a new users on my SUSE box and i need to give this user/group a read write access to one specific folder. here's the details:
- I created new user "funny" under group "users".
- I need to give this user "funny" a read/write access to another directory that is owned by "root".... (3 Replies)
Folks;
I'd like to create a group on my Linux box & add a few users to it.
Is there a way to do so and restrict this group/users to have access to only one or directory trees?
Let's say i need this group to only have a read write access to only these two directories /opt/Virtu & /fsn/comers
... (10 Replies)
I just updated sendmail to the newest version and got into this trouble. Somehow only can root can use sendmail while the other users will simply get "SMTP went away" when using pine or
"can not chdir(/var/spool/mqueue/): Permission denied
Program mode requires special privileges, e.g., root... (1 Reply)
