Date: Tue, 7 Oct 2008 06:25:06 -0700 From: Jeremy Chadwick <koitsu@FreeBSD.org> To: John Almberg <jalmberg@identry.com> Cc: freebsd-questions@freebsd.org Subject: Re: thorny (for me) permissions problem Message-ID: <20081007132506.GA49321@icarus.home.lan> In-Reply-To: <0C63914A-E3A3-4FC7-92AD-797F407A5FF7@identry.com> References: <0C63914A-E3A3-4FC7-92AD-797F407A5FF7@identry.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Oct 07, 2008 at 08:54:36AM -0400, John Almberg wrote: > The following permissions problem has me stumped: > > 1. User A uploads a file (using ftp) to the server, into a directory > called 'data' owned by user B. Permissions on directory set to allow > this, like this: > drwxrwxr-x 2 user_b user_b 512 Oct 7 08:40 data This aimplies that User A's account is in group "user_b". > 2. A cron job, run by user B, then processes the file > > 3. When the processing is complete, the cron job needs to delete the > file from the server > > 4. however, after upload, the file has the ownership A:B (i.e, owned by > A, group B) with permissions -rw-r--r--. So B does not have permission to > delete the file. This doesn't make sense. Any user in "group B" (the group that's assigned to the "data" directory) should be able to remove files in that directory. That means: 1) Any user in the group called "user_b", 2) The user "user_b" himself. See below. > The ftp user can manually change the permissions on the file to -rw- > rw-r--, but I do not want to depend on the user remembering to change > permissions. If he forgets, the cronjob will process the file over and > over again. I need the server to handle this, so it gets done correctly > 100% of the time. > > B does not have sufficient permissions to delete the file or change it's > permissions. The only thing I can think of is to have ANOTHER cron job, > run by A, run every few minutes to check for the existence of a file, and > change the permissions so B can delete it. But this smells like a kludge > to me. > > Is there a correct way to handle this? For instance, is there something I > can set in A's profile, so when he uploads a file, the group permission > is set to rw? That would be a nice clean way to do it, but I can't find > anything like that. What you're describing is understandable, but something is wrong with the setup or description of the problem. Here's proof of what I'm talking about: # egrep 'somegroup' /etc/group somegroup:*:9999:bob,jim # id bob uid=2000(bob) gid=1000(users) groups=1000(users),9999(somegroup) # id jim uid=2001(jim) gid=1000(users) groups=1000(users),9999(somegroup) Both of these users are in group "somegroup". So let's make some directories and files: drwxrwxr-x 2 jim somegroup 2 Oct 7 06:22 data/ -rw-r----- 1 bob somegroup 0 Oct 7 06:22 data/somefile In this scenario, user "jim" will be able to remove "somefile", as can be seen here: # su jim % id -a uid=2001(jim) gid=1000(users) groups=1000(users),9999(somegroup) % ls -l total 1 -rw-r----- 1 bob somegroup 0 Oct 7 06:22 somefile % rm somefile override rw-r----- bob/somegroup for somefile? y % ls -l total 0 So, possibly the FTP server you're using does not inherit users groups, only GIDs? -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081007132506.GA49321>