Greg Kettmann said:
>I come from a Novell, OS/2, Windows background. My experience comes
>from that arena.
>
>As per the subject my questions are about permissions, users and groups.
>
>I've read tons of stuff and think I've got a pretty good handle on file
>or directory permissions. My questions are a bit more esoteric.
>
>============= Subdirectory Permissions ==============================
>
>In Novell permissions could be assigned to a "parent" directory and it
>automatically applied to all files and subdirectories. This was called
>inheritance. It was automatic and you could change the permissions of a
>subdirectory if you'd like. It sort of looked from the top of the tree
>down to determine the actual permissions in effect.
>
>In OS/2 / Windows you didn't have this. Instead your changes only
>applied to wherever you assigned them. However, you did have the option
>of "applying" the permissions. This could be quite dangerous. Let's
>say you went to the root (d:\) directory and made it universally
>read/write. Well if you applied this it would erase any existing
>permissions in any subdirectory and replace them with the "new"
>settings.
>
>I gather that Linux doesn't have any sort of inheritance and matches the
>OS/2 Windows model (which is good). It seems that the -R switch will
>allow you to "Apply" the permissions change to subdirectories. Do I
>have this right?
Well, there are "default" permissions you assign (by defining umask).
Also, by setting the "sticky" bit right (I believe the group one), you can
specify that a file in a directory inherits the directory group, not the
user's group at the time.
>
>============= Groups to manage access ==============================
>
>I need to understand how to use groups better. Let's build two
>subdirectories. /shared and /accounting. Where they are is
>irrelevant. In my past I'd have a group called "everybody" with every
>user on the system in it. If I want to give access to /shared to
>everybody it seems all I'd have to do is assign the group everybody to
>the /shared subdirectory. So, assuming root made it, it would look like
>(read/write to root and "everybody", nothing to others):
>
>ls -al /shared
>drw-rw---- 19 root everybody 4096 Aug 8
>11:01
>
>Likewise I want to restrict /accounting to members of the accounting
>department. I build a group called accounting and only the members of
>the accounting department will be in that group. It would look like:
>
>ls -al /accounting
>drw-rw---- 19 root accounting 4096 Aug 8
>11:01
>
>Finally, how would I handle multiple groups? For example I'd like the
>auditors to be able to only have read access. In my past I'd simply
>assign multiple groups to the subdirectories but I don't see how to do
>this, in this environment, or at least to give more than one set of
>permissions. I don't want to open it up to read for everybody.
Simplest way is to create a new group, including those folks you want in
each. People can be members of multiple groups in Linux.
Alternatively, you can, in fact, compile Linux with ACL's - which gives
you as fine of control as NT / VMS. Also, you can go with Security
Enhanced Linux (SELinux, from http://www.nsa.gov/selinux/) or the RSBAC
patches from wherever they are. Also, there's the lsm (linux security
module) project, working on defining a clean interface for all of these
projects to tie into the kernel.
>
>=====================
>
>Thanks for any feedback.
>
You're welcome.
jeff
---------------------------------------------------------
Jeffry Smith Technical Sales Consultant Mission Critical Linux
[EMAIL PROTECTED] cell phone:603.930.9739 fax: 978.446.9470
---------------------------------------------------------
Thought for today: DP /D-P/ n.
1. Data Processing. Listed here because,
according to hackers, use of the term marks one immediately as a
suit. See DPer. 2. Common abbrev for
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
