[OL] Re: [OT] OSX privileges question
At 6:14 PM -0700 9/22/03, Rich Morin wrote: Let's back up a bit. Explain, in more abstract terms, what you're trying to accomplish. That may allow enough wiggle room to allow a Unixish solution. I try to stay out of the wiggle room, myself. I find the jackets fit just a little too tight. -jeff
Re: [OT] OSX privileges question
On Monday, September 22, 2003, at 08:02 PM, Nicholas Thornton wrote: So I've been put in charge of setting up and maintaining our department's new dispatch/switchboard computer. In trying to keep it clean and in order, I was hoping, if possible, to be able to give users read/write access to information in files themselves, but to block them from renaming the files or moving them. I tried giving r-x access to a folder and rwx access to the file inside. This lets them open the file and prohibits them from moving/renaming it, but prohibits them from saving any changes (because they can't write to the folder). It shouldn't prohibit them from making changes, unless the editing tools they're using are trying to overwrite the entire file (or create a temporary file then replace the original) rather than just modifying it. Here's an experiment I tried - notice that I was able to edit the file: % ls -al total 8 dr-xr-xr-x3 ken staff 102 Sep 23 09:13 ./ drwxr-xr-x 208 ken staff 7072 Sep 23 09:13 ../ -rw-r--r--1 ken staff 8 Sep 23 09:13 file % cat file content % emacs file % cat file content more content If this kind of thing doesn't seem workable for your situation, I can think of two alternatives: 1) Keep the information in a relational database, where you can specify the privileges in a more fine-grained and appropriate manner 2) Write a suid script to handle the required modifications -Ken
Re: [OT] OSX privileges question
On Monday, September 22, 2003, at 09:02 PM, Nicholas Thornton wrote: So I've been put in charge of setting up and maintaining our department's new dispatch/switchboard computer. In trying to keep it clean and in order, I was hoping, if possible, to be able to give users read/write access to information in files themselves, but to block them from renaming the files or moving them. I tried giving r-x access to a folder and rwx access to the file inside. This lets them open the file and prohibits them from moving/renaming it, but prohibits them from saving any changes (because they can't write to the folder). Is this an impossible feat I'm hoping for? If not, then how could I go about it? What you want to do is something that Unix was never designed to do. Simply put, Unix does not give you the granularity necessary to do what you want to do. You need ACLs (Access Control Lists) which most Unix variants do not support. Unix was built upon a model of peer-pressure. That is to say, it was designed in a small lab environment where everyone knew everyone else and if somebody did something either dumb and stupid, or oops, their peers knew about it immediately or could simply walk through the 5 or 10 cubicles necessary to find out who deleted the file, then slap them up-side-the-head so they wouldn't do it again. Later as Unix expanded, attempts were made to graft all kinds of controls on to this primitive read-write-execute, User-Group-Other construct but they never really worked... especially not the way people really worked once you got beyond a small group of about 10 people and about the year 1990. (And their implementations, like with sticky-bits, varies across Unix implementations.) It's a difficult problem - you may be able to create extreme straight jackets on what people can do. But these are normally not at all what people want to do. This is why things like Oracle or Ingress have been written to bypass the inherent lack of this flexibility at the OS level and insert it at the application level. Their ability to store data is only a very small part of their feature set. The ability to CONTROL ACCESS to the data is their strong point -- who can name it, create it, read it, update it, destroy it, etc. The ability to sort the data and present it in different ways is just a GUI that rides on top of the security and control. T.T.F.N. William H. Magill # Beige G3 - Rev A motherboard - 768 Meg # Flat-panel iMac (2.1) 800MHz - Super Drive - 768 Meg # PWS433a [Alpha 21164 Rev 7.2 (EV56)- 64 Meg]- Tru64 5.1a [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: [OT] OSX privileges question
On Monday, September 22, 2003, at 09:02 PM, Nicholas Thornton wrote: So I've been put in charge of setting up and maintaining our department's new dispatch/switchboard computer. In trying to keep it clean and in order, I was hoping, if possible, to be able to give users read/write access to information in files themselves, but to block them from renaming the files or moving them. I tried giving r-x access to a folder and rwx access to the file inside. This lets them open the file and prohibits them from moving/renaming it, but prohibits them from saving any changes (because they can't write to the folder). Is this an impossible feat I'm hoping for? If not, then how could I go about it? What is the file? Perhaps there is a workaround. For example, for printer settings, we allow users to change printers with Print Center. But once they log out, those settings are blown away, a backup copy of the cups settings replace the old ones, and cups is restarted. There is alot you can do with perl scripts running at login and logout. Also, have you considered aliases or symlinks? -- Thanks, James Reynolds University of Utah Student Computing Labs [EMAIL PROTECTED] 801-585-9811
