User talk:Fajarpri
From openSUSE
Contents |
Introduction (How to share directories between groups of users using ACL)
Note: I guess it's better to put this howto into the root entry, since it will be searched more easily by users. I have put it in How_to_share_directories_between_groups_of_users_using_ACL
As the server admin, there could be a situation where you need to setup a share directory between groups of users. Each with specific permissions.
So, here's the scenario:
3 groups:
- sales
- finance
- management
sales and finance can ONLY access their designated directories
management has FULL access to sales and finance directories
User in the same group can modify each other's files, but ONLY owner can delete files.
So, in order to achieve that, we need to set:
- Each file and directory created by the user should be owned by his group
- Each file and directory created by the user should be modifiable by peers in his group
Detail Procedure (do this as root)
1. Ensure you have ACLs enabled
For the filesystem that will contain the shared directory, you should ensure you have ACLs enable.
See http://en.opensuse.org/SDB:POSIX_Access_Control_List_%28ACL%29_Support
2. Creating groups
groupadd sales
groupadd finance
groupadd management
3. Creating users
useradd -g sales sales1
useradd -g sales sales2
useradd -g finance finance1
useradd -g finance finance2
useradd -g management boss1
useradd -g management boss2
4. Creating directories
mkdir -p /sharedir/{sales,finance}
5. Setting ownership and permission on directories
chown .sales /sharedir/sales
chown .finance /sharedir/finance
chmod 3770 /sharedir/{sales,finance}
(The 3770 gives sticky bit so that only owner can delete, and sgid for inherit group ownership from parent dir)
6. Setting ACL
setfacl -d -m group:sales:rw /sharedir/sales
setfacl -d -m group:finance:rw /sharedir/finance
setfacl -d -m group:management:rw /sharedir/{sales,finance}
The meaning of the first 2 above ACL commands is to set the default ACL for newly created files and subdirectories within the directory sales and finance such that they can be read/written by the sales and finance groups respectively.
The last ACL command adds a default read/write permission to newly created files and subdirectories to give users in the management group rw access.
If a sales or finance user creates a file that they do not want management to have access to, then after the file is created they can remove managements access via:
setfacl -x group:management <file>
7. Testing
- Switch to each user by su -, and then try to enter sales and finance dir. Should be successful only on dir with the same group.
- Switch to each user by su -, and then try to create file in the designated dir, and then switch to other user in the same group and try to modify the file, should be successful.
- Still as the above user, try to delete other's file, should be failed
- Testing as boss1 to enter sales and finance dir, and modify some files. It should work.
Conclusion and note
So, we can use ACL to tweak directory and file permission to meet our need. The ACL is compatible with Samba too. For additional info:
- man setfacl
- man getfacl
Hopefully this short writing helps.
Thank you for all friends in the OpenSuse mailing list.
| This article needs to be expanded. If you can help please do so in line with the openSUSE Style Guide.
If you are looking for something to do, see the other articles that need expanding |
This site uses the YAML CSS framework.
About openSUSE | Disclaimers | Feedback
This page was last modified 23:55, 29 May 2007. This page has been accessed 760 times.
