On Saturday 26 May 2007 00:57, Greg Freemyer wrote: > FYI: > I took the Redhat admins bootcamp a few years ago and they document a > process similar to what the OP described, but it depends on a umask of > 022, whereas opensuse is defaulting to 002, so this really is opensuse > issue, not totally a generic linux issue. > > Joachim has posted what appears to be a good starting point of a wiki > entry that does not require a dangerous universal umask change. > > Do people agree that using ACLs is the best approach.
Hello Greg, After experimenting with ACL, I think we can create the similar result from RedHat case regarding shared directories. So, here's the scenario: 3 groups: sales, finance, management sales and finance can ONLY access their designated directories management has FULL access to sales and finance directories User in the same group can modify each other's files, but ONLY owner can delete files. So, in order to achieve that, we need to set: Each file and directory created by the user should be owned by his group Each file and directory created by the user should be modifiable by peers in his group Here's the steps (as root): 1. creating groups: groupadd sales groupadd finance 2. creating users: useradd -g sales sales1 useradd -g sales sales2 useradd -g finance finance1 useradd -g finance finance2 3. creating directories: mkdir -p /sharedir/{sales,finance} 4. setting ownership and permission on directories: chown .sales /sharedir/sales chown .finance /sharedir/finance chmod 3770 /sharedir/{sales,finance} (The 3770 gives sticky bit so that only owner can delete, and sgid for inherit ownership from parent dir) 5. Setting ACL: setfacl -d -m group:sales:rw /sharedir/sales setfacl -d -m group:finance:rw /sharedir/finance 6. Testing: - Switch to each user by su -, and then try to enter sales and finance dir. Should be successful only on dir with the same group. - Switch to each user by su -, and then try to create file in the designated dir, and then switch to other user in the same group and try to modify the file, should be successful. - Still as the above user, try to delete other's file, should be failed Well, I guess that's it. As a RedHat admin point of view, this procedure seems to be a bit 'unnecessary'. But, after a second thought, I think this shows that Suse has been utilizing many recent features of Linux. Bravo Suse! CMIIW, -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 8:11am up 1:49, 2.6.18.2-34-default GNU/Linux Let's use OpenOffice. http://www.openoffice.org
pgp8qK1kSZgvM.pgp
Description: PGP signature