Date: Wed, 18 Dec 1996 15:08:59 -0500 (EST) From: Charles Owens <owensc@enc.edu> To: questions list FreeBSD <questions-hackers@freebsd.org> Subject: multi-group file access techniques Message-ID: <Pine.FBS.3.93.961218110510.14101A-100000@dingo.its.enc.edu> Resent-Message-ID: <Pine.FBS.3.93.961218212501.14642G@dingo.its.enc.edu>
next in thread | raw e-mail | index | archive | help
Howdy,
I'm trying to grapple with the challenge of how to allow multiple groups
and users (but not everyone) to have access to a directory hierarchy. We
don't have ACL's in FreeBSD, so I'm finding it a bit tricky.
Below is an example of what I need to do. If you have any insights,
alternate approaches, please let me know!
My goal is to set up a flexible way of organizing permissions such that
collections of users can share files with security where needed. An
integral part of the picture is http access, so the user (or group) 'www'
also needs read access (unless I run Apache as root, which I don't think I
want to do). [Web access permissions (via .htaccess or access.conf) are a
separate issue -- let's just limit the discussion to file system access
issues].
First let's define what I mean by a "group hierarchy". Basicly, it's a
collection of groups associated with a single entity, such as a
department, each with a different privilege level. An example:
Group Hierarchy 'Engineering'
Group Name Membership
eng anyone associated with department
eng1 full time staff
eng2 managers
eng3 administrators
In implementing this, member users would belong to all groups within the
hierarchy down to the level appropriate for them (so a manager would
belong to groups eng, eng1, and eng2).
What would this look like in practice?
Owner Group Mode
/dept/eng root eng drwxrwx---
|
+- man_only eng2_member eng2 drwxrwx---
| |
| (files)
|
+- man_readable_c eng2_member eng1 drwxr-x---
|
+- man_readable eng2_member eng2 drwxrwxr-x
|
(files)
Here managers (members of eng, eng1 and eng2 groups) can
have full access to everything. Staff (belonging to eng and
eng1) have RW access to /dept/eng, but just read to
/dept/eng/man_readable_c/man_readable.
.../man_readable_c is a "control directory," a technique that seems
obvious to me now but was new to me when I read of it in "Techniques for
Simulating Multiple Group Ownership," by Doug Morris, from the October
issue of SysAdmin magazine.
This seems reasonably workable, but there's no provision to allow the user
or group 'www' to have read access. Adding this access into the above
scheme seems possible, but a bit goofy. I've achieved it below simply by
making 'www' the owner of all "choke point" directories:
Owner Group Mode
/dept/eng_c www eng dr-xrwx---
|
+- man_only www eng2 dr-xrwx---
| |
| (files)
|
+- man_readable_c www eng1 dr-xr-x---
|
+- man_readable eng2_member eng2 drwxrwxr-x
|
(files)
This does work, but has two obvious flaws:
1. Security - the user "www" should _not_ have to own the
directories
2. Ease of use - a normal user could not achieve the above
configuration with normal file system commands.
Certainly, though, a few setuid utilities could be written
to make this possible...
What other approaches exist? Comments? Critiques?
In his article, Doug Morris also speaks of a technique of using hard links
of directories to achieve a similar effect. This technique could be used
in tandem with the above to add more flexibility, but we all know the
GREAT EVIL that hard linked directories are. :-)
(Morris's article forces me to ask, though, if hard linked directories
are actually okay for other OS's, perhaps non-BSD ones?)
Thanks in advance for any and all response,
---
-------------------------------------------------------------------------
Charles Owens Email: owensc@enc.edu
"I read somewhere to learn is to
Information Technology Services remember... and I've learned that
Eastern Nazarene College we've all forgot..." - King's X
-------------------------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.FBS.3.93.961218110510.14101A-100000>