Since we're talking about groups anyway, let me share a situation that I ran across a couple of days ago.
We have two designers, we'll call them Alice and Bob. They are both members of a group that we'll call desginers. I set up a directory for them on a server, with the following commands: mkdir somedir chgrp desginers somedir chmod g+ws somedir setfacl -m d:g::rwx somedir Alice uses a Mac and Bob uses Windows. When Alice uploads a file, her FTP client automatically changes the group ownership from "designers" to "alice", making my little SGID bit useless. When Bob tries to update any files that Alice has uploaded, he can't do so because he's not in the "alice" group. We looked all over the FTP client, and were unable to find any settings to turn off any chgrp commands. My first thought was that if we could block specific users from using chgrp, it would block Alice's FTP client from screwing up the ownerships. Then I realized the chances of either Alice or Bob ever intentionally doing any group-specific were about as likely as Jayce^ converting to PHP, so I just changed both of their primary groups to "designers". Alice's FTP program no longer hoses the group ownership, and life is good. But I still wonder, can I block specific users from using chgrp? This is on a RHEL 5.3 box, FWIW. -- Joseph http://blog.josephhall.com/ /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
