in reply to
semi secure sudo script to allow restricted copy ability
Ok, I've actually investigated ACL's under unix now. Using them will definitely solve the problem I have. But, while investigating that, I've run into boxes where you have to specifically say you want ACL's supported, and thus must remount the partitions. FWIW, a quick check of 3 of our machines shows that CentOS 4.x doesn't natively support them, but CentOS 5.x does.
For those that were like me and resisting utilizing ACL's, there are two main commands to learn: getfacl and setfacl. A test session: As root do this
echo "This is a test file" > /tmp/test.file
chmod 640 /tmp/test.file
setfacl -m u:admin:rw /tmp/test.file
setfacl -m g:users:r /tmp/test.file
Now the admin user has the ability to edit /tmp/test.file and anyone in the users group can read it.
A normal 'ls -alF' shows that there's an acl attached to the file; notice the plus sign at the end of the permissions list, and following that, we see what getfacl says about the file.
$ ls -alF /tmp/test.file
-rw-r-----+ 1 root root 161 May 7 09:35 /tmp/test.file
$ getfacl /tmp/test.file
getfacl: Removing leading '/' from absolute path names
# file: tmp/test.file
# owner: root
# group: root
On a machine where ACL's aren't natively supported yet, when attempting to set the ACL, you'll get this:
$ setfacl -m u:admin:rw /tmp/test.file
setfacl: test.file: Operation not supported
For ACLs to work you have to mount whatever partition you want with the option acl. As an example, notice [the partition] /home [from /etc/fstab]:
LABEL=/ / ext3 defaults 1 1
LABEL=/boot /boot ext3 defaults 1 2
LABEL=/home /home ext3 rw,acl 1 2