* Matthias Hentges (eebe@gmx.net) [030420 00:20]: > Am Son, 2003-04-20 um 05.17 schrieb Francisco Castellon: > > Hello list: > > > > > > > > I have been reading the documentation on chmod on the manual pages and > > from a few other sources, howver I still have a couple of questions. > > > > > > > > Alright, first this is what I want to do, I have a directory that > > belongs to ROOT and I want to make it readable, writable and > > executable to another user however I don’t want to loose the > > permissions that root already has in that directory. > > > > > > > > To illustrate, assume that I have a directory called DATA that is > > owned by root, and I have a user called “admin” to whom I want to give > > full access to DATA, however I DO NOT want to “admin” give admin any > > other root like permissions outside of that folder, so that is why I > > don’t want to add the “admin” user to the same group that root belongs > > to (is it called “staff” or “root”?). So I really don’t want to open > > the DATA directory public to ALL users just to the “admin” user. So > > essentially what I want to do is for the owner of the directory to > > give read, write and execute permissions to another user (or group for > > that matter) for that directory. > > Add your user "admin" to the group "adm" (man usermod)and set the > permissions on /DATA as follows: > > root@mhcln02:/ >chgrp adm DATA #set group to adm for /DATA > root@mhcln02:/ >chmod g+rwx DATA #give rwx permissions to adm > root@mhcln02:/ >ll|grep DATA > drwxrwxr-x 2 root adm 48 Apr 20 08:51 DATA > > Now all users in group "adm" can read and write in /DATA. Beware that > "admin" can delete all files owned by root in /DATA but not modify them. Also beware that "admin" can now read all of your system logs, since that's what the adm group gets you on a debian system. If you only want to grant access to this one particular directory, use a group just for this. If you have the typical one-group-per-user setup, you can chgrp admin the directory. If not, create a special group, add admin to that group, and chgrp the directory to that group as well. > > Second: say I have a user called TEST1 in the group called TEST1 (as > > it is often the case in Unix when you create a user that it creates a > > group with the same name as the user). If user TEST1 is the owner of > > the folder called DIR1 what is the difference of the outcome between > > running: > > > > chmod 740 DIR1 > > > > and > > > > chmod 470 DIR1 > > > > I realize that one gives full access to the group and read only access > > to the user and the other command does the opposite, but in a case > > that TEST1 is the only user in TEST1 then does it make a difference > > above what I do? Yes. Permissions are checked in order: user, group, other. A file that is mode 470 means that the owner of the file only has read permission, whereas other members of the group (who are not the owner) also have write and execute permission. If the set "other members of the group (who are not the owner)" is null, so be it. Since the 'user' permission is checked first, that's the only set of permissions that applies to the owner, even if they would have matched the group as well. It's kind of like this pseudocode: if (user.uid == file.uid): return perms.user else if (user.groups.contains(file.gid)): return perms.group else return perms.other but NOT like this pseudocode (which it seems like you were imagining): val = perms.other if (user.uid == file.uid): val += perms.user if (user.groups.contains(file.gid)): val += perms.group return val good times, Vineet -- http://www.doorstop.net/ -- http://www.eff.org/
Attachment:
pgpIRE9StoR1O.pgp
Description: PGP signature