Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

Re: semi secure sudo script to allow restricted copy ability

by 5mi11er (Deacon)
on May 07, 2008 at 15:20 UTC ( #685236=note: print w/ replies, xml ) Need Help??


in reply to semi secure sudo script to allow restricted copy ability

Ok, I've actually investigated ACL's under unix now. Using them will definitely solve the problem I have. But, while investigating that, I've run into boxes where you have to specifically say you want ACL's supported, and thus must remount the partitions. FWIW, a quick check of 3 of our machines shows that CentOS 4.x doesn't natively support them, but CentOS 5.x does.

For those that were like me and resisting utilizing ACL's, there are two main commands to learn: getfacl and setfacl. A test session: As root do this

echo "This is a test file" > /tmp/test.file
chmod 640 /tmp/test.file
setfacl -m u:admin:rw /tmp/test.file
setfacl -m g:users:r  /tmp/test.file
Now the admin user has the ability to edit /tmp/test.file and anyone in the users group can read it.

A normal 'ls -alF' shows that there's an acl attached to the file; notice the plus sign at the end of the permissions list, and following that, we see what getfacl says about the file.

$ ls -alF /tmp/test.file
-rw-r-----+ 1 root root 161 May  7 09:35 /tmp/test.file

$ getfacl /tmp/test.file 
getfacl: Removing leading '/' from absolute path names
# file: tmp/test.file
# owner: root
# group: root
user::rw-
user:admin:rw-
group::r--
group:users:r--
mask::rw-
other::---
On a machine where ACL's aren't natively supported yet, when attempting to set the ACL, you'll get this:
$ setfacl -m u:admin:rw /tmp/test.file
setfacl: test.file: Operation not supported
This page states that
For ACLs to work you have to mount whatever partition you want with the option acl. As an example, notice [the partition] /home [from /etc/fstab]:
LABEL=/     /     ext3 defaults 1 1
LABEL=/boot /boot ext3 defaults 1 2
LABEL=/home /home ext3 rw,acl 1 2

-Scott


Comment on Re: semi secure sudo script to allow restricted copy ability

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://685236]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others contemplating the Monastery: (9)
As of 2014-12-20 23:57 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (99 votes), past polls