From owner-freebsd-questions Sat Aug 8 11:50:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA12020 for freebsd-questions-outgoing; Sat, 8 Aug 1998 11:50:13 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from silver.teardrop.org (silver.teardrop.org [169.197.56.132]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA12012 for ; Sat, 8 Aug 1998 11:50:08 -0700 (PDT) (envelope-from sno@teardrop.org) Received: from localhost (sno@localhost) by silver.teardrop.org (8.x.x/8.x.x) with SMTP id LAA17748; Sat, 8 Aug 1998 11:49:41 -0700 (MST) Date: Sat, 8 Aug 1998 11:49:40 -0700 (MST) From: James Snow To: djv@bedford.net cc: Doug White , freebsd-questions@FreeBSD.ORG Subject: Re: Weird /home problem resolved [MAYBE] (LONG) In-Reply-To: <199808081647.MAA00998@lucy.bedford.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, 8 Aug 1998 djv@bedford.net wrote: > Overall, Mr Snow is trying to achieve a goal here with permissions > on homedirs and their parent dirs, which he hasn't explicitly stated. > There may be a different approach to solve this problem. With all the thought that has gone into this, you certainly deserve this explanation. I fear it may be anti-climactic though: We have the following sets of subdirectories and permissions in /home /home/sub1 root.sub1 rwx r-x --- /home/sub2 root.sub2 rwx r-x --- /home/sub3 root.sub3 rwx r-x --- Within /home/sub2, there are, obviously, the homes of the members of sub2. There are also a set of files, call them sub2-shared, that need to be read-accessible to all of sub2's members. Assorted members of sub1 are admins of the sub2-shared files. They need, obviously, read and write access to sub2-shared. Assorted members of sub3 are also allowed read-access sub2-shared. How we have accomplished this (that requires the 2.2.6 behavior of login) is as follows The directory sub2-shared is within /home/sub2, owned by root.sub2-shared-admin, and set to 775. The members of sub1 that need read/write access to this directory are members of sub2 and also of sub2-shared-admin. The assorted members of sub3 who also need read access to sub2-shared are also members of sub2. /home/sub2/sub2-shared root.sub2-shared-admin rwx rwx r-x Assorted users and their groups are as follows (sX being subX) s1user1 sub1, sub2, sub2-shared-admin (can rw sub2-shared) s1user2 sub1, sub2 (can r sub2-shared) s1user3 sub1 (has no idea it exists) s2user1 sub2 (can r sub2-shared) s2user2 sub2, sub2-shared-admin (can rw sub2-shared) s3user1 sub3, sub2, sub2-shared-admin (can rw sub2-shared) s3user2 sub3, sub2 (can r sub2-shared) s3user3 sub3 (has no idea it exists) Not allowing certain users to be aware of the existence of sub2-shared is preferable. The admins of sub2-shared have rw access to it via its group ownership of sub2-shared-admin. The members of sub2 have access to it via being members of sub2, able to cd to /home/sub2, and then subsequently to sub2-shared through world/other permissions. The same is true of assorted members of sub3 and sub1. I realize that an alternative way of doing this would be the following /home/sub1 root.sub1 rwx r-x r-x /home/sub2 root.sub2 rwx r-x r-x /home/sub3 root.sub3 rwx r-x r-x /home/shared root.shared rwx r-x --- /home/shared/files root.shared-admin rwx rwx r-x s1user1 sub1, shared, shared-admin (can rw shared/files) s1user2 sub1, shared (can r shared/files) s1user3 sub1 (has no idea it exists) s2user1 sub2, shared, shared-admin (can rw shared/files) s2user2 sub2, shared (can r shared/files) s2user3 sub2, (has no idea it exists) s3user1 sub3, shared, shared-admin (can rw shared/files) s3user2 sub3, shared (can r shared/files) s3user3 sub3, (has no idea it exists) This allows for an additional class of user (s2user3) but creates what I cannot help view as an unnecessary additional level of file hierarchy. The /home/shared directory. It would contain nothing but the directory /home/share/files. It is a setup, however, that is in the long run more flexible. It also doesn't require the 2.2.6 behavior of login, which, from what I have now read, is preferable because the 2.2.6 behavior causes more headaches for more people than the new behavior will cause for me. If there is no middle ground in which login can access /home/sub/user via group permissions on /home/sub, while not causing problems for NFS users, then I gladly withdraw the complaint. The good of the many outweigh the need of the one. :) Also, is there no other way in which one group of users can have rwx access to a directory, a second group can have r-x access, and a third group can have --- (no) access? Even ignoring the preference for group three to not be aware of the directory? Thanks again, James Snow To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message