From owner-freebsd-questions Tue Mar 19 3:48:45 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mired.org (dsl-64-192-6-133.telocity.com [64.192.6.133]) by hub.freebsd.org (Postfix) with SMTP id E34CD37B400 for ; Tue, 19 Mar 2002 03:48:28 -0800 (PST) Received: (qmail 64270 invoked by uid 100); 19 Mar 2002 11:48:25 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15511.9609.134146.560977@guru.mired.org> Date: Tue, 19 Mar 2002 05:48:25 -0600 To: Jan Grant Cc: Richard , "freebsd-questions@FreeBSD.ORG" Subject: Re: How to disallow a certain user or group to access a directory and all other users will not be affected In-Reply-To: References: <200203191104.g2JB4VH56561@sydmail3.telpacific.com.au> X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ From: Mike Meyer X-Delivery-Agent: TMDA/0.49 (Python 2.2 on freebsd4) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In , Jan Grant typed: > On Tue, 19 Mar 2002, Richard wrote: > > I am facing a problem that I only want to block a certain > > user or a group to access a few directories and all other > > users will not be affected. > You need extended ACLs. I believe Linux has them; the TrustedBSD project > is doing the same for FreeBSD (the code's already in current, IIRC). Actually, any Unix can halfway do it. Put the users you want excluded in group "excluded". Then make the directory owned by group excluded, mode 705 (or whatever). The group permissions takes precedence over the "other" permission, so those users are excluded. I say "halfway" because that's not they way you're supposed to use groups. So it's relatively straightforward for a user to "lose" a group, at least on some Unices. I originally found this on BSD 4.x, and I don't know if it's been changed since. CSRG didn't consider it a problem, and I haven't tested it on any version of FreeBSD. http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message