Access control based on user and directory - Linux

This is a discussion on Access control based on user and directory - Linux ; Hi all, here where I work we are pulling our hair out because we are trying to do something that Linux was apparently not thought for. There are people in our research lab that generate and analyze data files, and ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Access control based on user and directory

  1. Access control based on user and directory

    Hi all,
    here where I work we are pulling our hair out because we are trying to
    do something that Linux was apparently not thought for.

    There are people in our research lab that generate and analyze data
    files, and each person (user) would need to have readwrite access to a
    few paths (and any subpath) and readonly access to another few paths
    (and any subpath).

    These paths are known statically, because they depend on the project
    they are working on. Actually these paths depend on the group (gid)
    more than on the user (uid). We can create whatever group might be
    needed to achieve this.

    The users having write access should be able to create any subdirectory
    nested at any level within those paths at any time. The access control
    to the new directories should be that of the path above.


    We are looking for 2 things:

    - 1 - the way to prevent readwrite/readonly access for each gid outside
    the directories that were built for them

    - 2 - the way to allow readwrite/readonly access to any file within
    those directories (and their subdirectories), regardless of the "r,w"
    flags a file could have. These users are not computer scientists, they
    make mistakes setting the user/group/others r,w flags when creating new
    files, and then other users complain because they are not able to access
    the files they were supposed to access. Giving them an umask is not
    enough because sometimes they copy files from their laptops and these
    result in permissions being too restrictive.

    Point #2 is somewhat less important than #1 , mainly because we can
    create a sudoed script that performs "chmod -R u+rwX,g+rwX *" on all the
    hierarchy, that they can launch to fix any mistake made by others.


    This stuff cannot be done on standard Linux, or can it?

    I even gave a look at Apparmor and Tomoyo. Apparmor probably cannot do
    this because it seems it cannot check access based on uid or gid. Tomoyo
    seems to allow rules based on uid and gid in the policies, but I am not
    sure if its rules are inherited by subdirectores, also it requires
    patching the kernel and a considerable learning effort. Also I cannot
    tell from the web if it can do #2. Any comment on this?

    Isn't there a way to totally disable linux permissions checking (rwx for
    ugo) in an ext3 filesystem, maybe in a mountpoint?

    Filesystem should be ext3 because it is the most stable. These data have
    a considerable value and I would not dare to use e.g. fat32 just for
    disabling access control.

    Thank you

  2. Re: Access control based on user and directory

    why dont you just create a group with all the allowed users,

    assign the dedicated directories to that group, and make group writeable ?

    Alternatively you might learn about the command setfacl, and getfacl
    (File access control)


    On Wed, 27 Aug 2008 15:39:27 +0200, kunt wrote:

    > Hi all,
    > here where I work we are pulling our hair out because we are trying to
    > do something that Linux was apparently not thought for.
    >
    > There are people in our research lab that generate and analyze data
    > files, and each person (user) would need to have readwrite access to a
    > few paths (and any subpath) and readonly access to another few paths
    > (and any subpath).
    >
    > These paths are known statically, because they depend on the project
    > they are working on. Actually these paths depend on the group (gid)
    > more than on the user (uid). We can create whatever group might be
    > needed to achieve this.
    >
    > The users having write access should be able to create any subdirectory
    > nested at any level within those paths at any time. The access control
    > to the new directories should be that of the path above.
    >
    >
    > We are looking for 2 things:
    >
    > - 1 - the way to prevent readwrite/readonly access for each gid outside
    > the directories that were built for them
    >
    > - 2 - the way to allow readwrite/readonly access to any file within
    > those directories (and their subdirectories), regardless of the "r,w"
    > flags a file could have. These users are not computer scientists, they
    > make mistakes setting the user/group/others r,w flags when creating new
    > files, and then other users complain because they are not able to access
    > the files they were supposed to access. Giving them an umask is not
    > enough because sometimes they copy files from their laptops and these
    > result in permissions being too restrictive.
    >
    > Point #2 is somewhat less important than #1 , mainly because we can
    > create a sudoed script that performs "chmod -R u+rwX,g+rwX *" on all the
    > hierarchy, that they can launch to fix any mistake made by others.
    >
    >
    > This stuff cannot be done on standard Linux, or can it?
    >
    > I even gave a look at Apparmor and Tomoyo. Apparmor probably cannot do
    > this because it seems it cannot check access based on uid or gid. Tomoyo
    > seems to allow rules based on uid and gid in the policies, but I am not
    > sure if its rules are inherited by subdirectores, also it requires
    > patching the kernel and a considerable learning effort. Also I cannot
    > tell from the web if it can do #2. Any comment on this?
    >
    > Isn't there a way to totally disable linux permissions checking (rwx for
    > ugo) in an ext3 filesystem, maybe in a mountpoint?
    >
    > Filesystem should be ext3 because it is the most stable. These data have
    > a considerable value and I would not dare to use e.g. fat32 just for
    > disabling access control.
    >
    > Thank you



  3. Re: Access control based on user and directory

    On 2008-08-27, Guenther Sohler wrote:

    > why dont you just create a group with all the allowed users,


    Yup.

    > assign the dedicated directories to that group, and make group
    > writeable?


    That doesn't work unless everybody involved and all the
    software they use set their umask values set appropriately.
    IOW, that doesn't work. What invariably happens is that people
    create files that aren't group-writable when they should be.

    > Alternatively you might learn about the command setfacl, and
    > getfacl (File access control)


    That works. [Though you might have to enable ACLs in your
    kenel and fix the fstab entry so the filesystems are mounted
    with the acl option.]

    Set default ACLs on the directories so that newly created files
    are owned by the appropriate group and have exactly the desired
    group privlidges. Assign users to appropriate groups, and Bob's
    your uncle.

    --
    Grant Edwards grante Yow! Why is everything made
    at of Lycra Spandex?
    visi.com

  4. Re: Access control based on user and directory

    Grant Edwards wrote:
    >> Alternatively you might learn about the command setfacl, and
    >> getfacl (File access control)

    >
    > That works. [Though you might have to enable ACLs in your
    > kenel and fix the fstab entry so the filesystems are mounted
    > with the acl option.]
    >
    > Set default ACLs on the directories so that newly created files
    > are owned by the appropriate group and have exactly the desired
    > group privlidges. Assign users to appropriate groups, and Bob's
    > your uncle.



    Not reliable...

    If user u1 has write access to path /p1 while u2 has readonly access to
    /p1, u1 can break the thing.

    If u1 creates directory /p1/d1 then he does setfacl so to grant write
    access to u2 within the /p1/d1 directory, we cannot stop that, u2 will
    definitely get write access.

    Something more enforcing?

    We would like something that cannot be bypassed by agreements among users.

  5. Re: Access control based on user and directory

    kunt wrote:
    > Grant Edwards wrote:
    >>> Alternatively you might learn about the command setfacl, and
    >>> getfacl (File access control)

    >>
    >> That works. [Though you might have to enable ACLs in your
    >> kenel and fix the fstab entry so the filesystems are mounted
    >> with the acl option.]
    >>
    >> Set default ACLs on the directories so that newly created files
    >> are owned by the appropriate group and have exactly the desired
    >> group privlidges. Assign users to appropriate groups, and Bob's
    >> your uncle.

    >
    >
    > Not reliable...
    >
    > If user u1 has write access to path /p1 while u2 has readonly access to
    > /p1, u1 can break the thing.
    >
    > If u1 creates directory /p1/d1 then he does setfacl so to grant write
    > access to u2 within the /p1/d1 directory, we cannot stop that, u2 will
    > definitely get write access.
    >
    > Something more enforcing?
    >
    > We would like something that cannot be bypassed by agreements among users.


    Make that group work in a chroot area where chmod, setfacl etc don't exist.
    Also mount that data fs noexec so they can't upload programs and run them.

  6. Re: Access control based on user and directory

    On Wed, 27 Aug 2008 13:39:27 UTC in comp.os.linux.development.system, kunt
    wrote:

    > There are people in our research lab that generate and analyze data
    > files, and each person (user) would need to have readwrite access to a
    > few paths (and any subpath) and readonly access to another few paths
    > (and any subpath).


    Are these Linux users or Windows users? Perhaps you can mount the directory
    using a Samba share and force the permissions that way

    [Share]
    comment = Shared Directory
    path = /shares/Share
    valid users = @shareusers
    public = no
    writable = yes
    printable = no
    create mask = 0775
    directory mask = 0770

    --
    Trevor Hemsley, Brighton, UK
    Trevor dot Hemsley at ntlworld dot com

  7. Re: Access control based on user and directory

    Joe Beanfish wrote:
    >
    > Make that group work in a chroot area where chmod, setfacl etc don't exist.
    > Also mount that data fs noexec so they can't upload programs and run them.


    hmmm I see...

    another question:
    They upload files via SCP. The files might have been generated on their
    laptop and the permissions there could be anything. In particular the
    "group" permission could be insufficient (standard "group", not ACL).

    If they upload a file from the laptop onto the server via SCP and the
    file has insufficient group permissions, would the default:group ACL
    specified in the parent directory take precedence over the standard
    "group" permission coming through SCP?

    Thanks

  8. Re: Access control based on user and directory

    On 2008-08-28, kunt wrote:

    >> Make that group work in a chroot area where chmod, setfacl etc
    >> don't exist. Also mount that data fs noexec so they can't
    >> upload programs and run them.

    >
    > hmmm I see...
    >
    > another question:
    > They upload files via SCP. The files might have been generated on their
    > laptop and the permissions there could be anything. In particular the
    > "group" permission could be insufficient (standard "group", not ACL).
    >
    > If they upload a file from the laptop onto the server via SCP and the
    > file has insufficient group permissions, would the default:group ACL
    > specified in the parent directory take precedence over the standard
    > "group" permission coming through SCP?


    Yes (at least that's how it's working for me).

    --
    Grant Edwards grante Yow! Here I am in 53
    at B.C. and all I want is a
    visi.com dill pickle!!

+ Reply to Thread