From owner-freebsd-questions  Tue Mar 19  3:40:22 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from uk2.kanda-systems.net (uk2.kanda-systems.net [193.195.117.202])
	by hub.freebsd.org (Postfix) with ESMTP id 6FB8E37B405
	for <freebsd-questions@FreeBSD.ORG>; Tue, 19 Mar 2002 03:40:17 -0800 (PST)
Received: from localhost.kanda-systems.net (localhost.kanda-systems.net [127.0.0.1])
	by uk2.kanda-systems.net (Postfix) with ESMTP
	id AEB9D3C1E8; Tue, 19 Mar 2002 12:54:00 +0000 (GMT)
Date: Tue, 19 Mar 2002 12:54:00 +0000 (GMT)
From: jason+freebsd@kanda.com
X-X-Sender: jason@uk2.kanda-systems.net
Reply-To: jason+freebsd@kanda.com
To: Jan Grant <Jan.Grant@bristol.ac.uk>
Cc: Richard <guyuan@telpacific.com.au>,
	"freebsd-questions@FreeBSD.ORG" <freebsd-questions@FreeBSD.ORG>
Subject: Re: How to disallow a certain user or group to access a directory
 and          all          other users will not be affected
In-Reply-To: <Pine.GSO.4.44.0203191126480.17702-100000@mail.ilrt.bris.ac.uk>
Message-ID: <20020319124758.W69540-100000@uk2.kanda-systems.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG


On Tue, 19 Mar 2002, Jan Grant wrote:

> On Tue, 19 Mar 2002, Richard wrote:
>
> > I am facing a problem that I only want to block a certain
> > user or a group to access a few directories and all other
> > users will not be affected.
> >
> > It does not seem to be a problem in win2000, but I cannot
> > implement in FreeBSD or Linux. Is it possible to implement
> > in FreeBSD or Linux?
>
> You need extended ACLs. I believe Linux has them; the TrustedBSD project
> is doing the same for FreeBSD (the code's already in current, IIRC).

Not quite so, typically you use permissions to grant access, ie. user x
can read/write these files, group y can only read these files and everyone
else has no access.

Permissions can be turned on their head a bit, eg: user x has no access,
group y has read only access and everyone else can do anything with them.

With thoughtful use of groups, you should be able to emulate some ACL
functionality, although it will be fiddlier than with ACLs.

Some quick examples:

To stop a group accessing a directory/file:

  chgrp group directory

(where group is the group you want to restrict access to, and directory is
the directory name)

Then chmod 707 directory

To stop a user accessing a file or directory:

chgrp user directory

Then chmod 077 directory

(where user is the user you want to restrict access to, and directory is
the directory name)

Jason
>
>
> --
> jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/
> Tel +44(0)117 9287088 Fax +44 (0)117 9287112 RFC822 jan.grant@bris.ac.uk
> Q: What's yellow and equivalent to the axiom of choice? A: Zorn's lemon.
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message