On Saturday 26 May 2007 00:57, Greg Freemyer wrote: > FYI: > I took the Redhat admins bootcamp a few years ago and they document a > process similar to what the OP described, but it depends on a umask of > 022, whereas opensuse is defaulting to 002, so this really is opensuse > issue, not totally a generic linux issue. > > Joachim has posted what appears to be a good starting point of a wiki > entry that does not require a dangerous universal umask change. > > Do people agree that using ACLs is the best approach.
Hello Greg,
After experimenting with ACL, I think we can create the similar result from
RedHat case regarding shared directories.
So, here's the scenario:
3 groups: sales, finance, management
sales and finance can ONLY access their designated directories
management has FULL access to sales and finance directories
User in the same group can modify each other's files, but ONLY owner can
delete files.
So, in order to achieve that, we need to set:
Each file and directory created by the user should be owned by his group
Each file and directory created by the user should be modifiable by peers in
his group
Here's the steps (as root):
1. creating groups:
groupadd sales
groupadd finance
2. creating users:
useradd -g sales sales1
useradd -g sales sales2
useradd -g finance finance1
useradd -g finance finance2
3. creating directories:
mkdir -p /sharedir/{sales,finance}
4. setting ownership and permission on directories:
chown .sales /sharedir/sales
chown .finance /sharedir/finance
chmod 3770 /sharedir/{sales,finance}
(The 3770 gives sticky bit so that only owner can delete, and sgid for inherit
ownership from parent dir)
5. Setting ACL:
setfacl -d -m group:sales:rw /sharedir/sales
setfacl -d -m group:finance:rw /sharedir/finance
6. Testing:
- Switch to each user by su -, and then try to enter sales and finance dir.
Should be successful only on dir with the same group.
- Switch to each user by su -, and then try to create file in the designated
dir, and then switch to other user in the same group and try to modify the
file, should be successful.
- Still as the above user, try to delete other's file, should be failed
Well, I guess that's it. As a RedHat admin point of view, this procedure seems
to be a bit 'unnecessary'. But, after a second thought, I think this shows
that Suse has been utilizing many recent features of Linux.
Bravo Suse!
CMIIW,
--
Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial
http://linux2.arinet.org
8:11am up 1:49, 2.6.18.2-34-default GNU/Linux
Let's use OpenOffice. http://www.openoffice.org
pgp8qK1kSZgvM.pgp
Description: PGP signature
