Hack52.Share Files Using Linux Groups
Hack 52. Share Files Using Linux Groups
Traditional Unix/Linux groups have always made it easy to share files among users. Though this is more of a basic system capability than a hack, creating files that other users can both read and write can be done in various ways. The easiest way to do this is to make all files and directories readable and writable by all users, which is the security equivalent of putting a sign on your computer reading, "Please screw this up." No sysadmin in his right mind would do this, and most would also want to protect their users against accidentally setting themselves up for a catastrophe by doing so. This hack provides an overview of how to use Linux protections to create directories that can be protected at the group level, but in which all members of that group will be able to read and write files. This doesn't involve any special scripts or software packages, but provides a simple refresher that will help you help your users get their work done as efficiently as possible and with as few phone calls or pages to you as possible. 5.8.1. Linux Protections 101Basic Linux protection modes, inherited from Unix, provide the ability to protect files and directories at three basic levels:
These permissions are reflected in the leftmost entry in the long listing of any file or directory, as in the following example: $ ls -al /home/top-secret total 8 drwxrwx---2 ts top-secret 80 2005-07-04 16:02 . drwxr-xr-x 8 root root 184 2005-07-04 15:57 .. -rw-r--r--1 wvh top-secret 5386 2005-07-04 16:02 wmd_overview.sxw This listing shows three sets of Unix permissions: those for the directory in which the command was executed (.), those for that directory's parent directory (..), and those for a file in that directory (wmd_overview.sxw). The permissions for the directory show that it is owned by the user ts and the group top-secret, and that the directory can only be read, written to, or searched by the user ts or anyone in the top-secret group. The permissions entry for the wmd_overview.sxw file say that the file can be read or written to by its owner (wvh) and by any member of the top-secret group. In practice, this seems pretty straightforwardanyone in the top-secret group who needs to modify the wmd_overview.sxw file can just open it, make their changes, and save the file. Because only the user ts user and people in the top-secret group have access to the directory in the first place, it seems like a natural place for members of the group to create files that they can share with other group members. 5.8.2. Setting the umask to Create Sharable FilesThe ownership and permissions on files that a user creates are controlled by three things: the user's user ID when creating the file, the group to which she belongs, and her default protection file settings, known as her umask. The umask is a numeric value that is subtracted from the permissions used when creating or saving files or directories. In the previous example, assume that the users wvh and juser are both members of the top-secret group. The user juser creates a file called juser_comments.txt in the /home/top-secret directory, but its protections are set to -rw-r--r--. This means that no other user in the top-secret group can modify this file unless juser changes the permissions so that the file is also writable by group members, which can be done with either of the following commands: $ chmod 660 juser_comments.txt $ chmod g+w,o-r juser_comments.txt You find out a user's default umask setting by issuing the umask command, which is a built-in command in most Linux shells. By default, most users' umasks are set to 0022 so that newly created files are writable only by their owners, as in the example in the previous paragraph. Setting the user's umask to 0002 may seem like an easy way to ensure that files are created with permissions that enable other group members to modify them. This turns off the world-writable bit for the file, but leaves the group-writable bit set. However, there are two problems with this approach:
If you want to use a group-writable umask setting everywhere, the first of these issues is usually solved by turning off the executable and read permissions for group members and standard users on your home directory. (In Unix/Linux permissions, the executable bit on a directory determines whether the directory is searchable.) This means that while the files being created there are writable by group members, group members can't view the directory or locate the files in the first place. If you don't want to globally set your umask to create files that are group-writable, another common approach is to define an alias for file creation (in your shell's startup file, such as ~/.bashrc) that automatically sets file permissions appropriately, as in the following example: alias newfile=`(umask 0002 ; touch $1)` This command forks a sub-shell, sets the umask within that shell, and then creates the file and exits the sub-shell. You can do the same sort of thing without forking a sub-shell by manually changing the file permissions within an alias: alias newfile=`touch $1; chmod 660 $1` Any of these solutions works fine if the group that you want to be able to share files with is the group that you initially belong to when you log in, known as your login group. Linux enables users to belong to multiple groups at the same time, in order to let people work on multiple projects that are protected at the group level. For the purposes of creating files, Linux users function as members of a single group at any given time, and they can change the group that is in effect via the newgrp command. However, as explained in the next section, you can also set Linux directory protections to control the group that owns files created in a particular directory. 5.8.3. Using Directory Permissions to Set Group MembershipDirectory permissions in Linux have a different impact on the group ownership of files created in a directory than they do in other Unix-like operating systems. On BSD-based systems, for example, files created in a directory are always created with the group ownership of the group that owns the directory. On Linux systems, files created in a directory retain the group membership of the user that was in effect at the time the file was created. However, you can easily force group membership under Linux by taking advantage of a special permission mode, known as the s-bit. Unix systems have traditionally used this bit to enable users to run applications that require specific user or group privileges, but when set on a directory, the s-bit causes any files created in that directory to be created with the group membership of the directory itself. The s-bit on a directory is set using the command chmod g+s filename. If the s-bit is set on a specific directory, the x in the group permissions for that directory is replaced with an s. The following is an example of group ownership after the s-bit has been set on the same /home/top-secret directory (note the s in the executable bit of the group settings): # chmod g+s /home/top-secret # ls -al total 8 drwxrws---2 ts top-secret 80 2005-07-04 16:02 . drwxr-xr-x 8 root root 184 2005-07-04 15:57 .. -rw-r--r--1 wvh top-secret 5386 2005-07-04 16:02 wmd_overview.sxw At this point, creating any file in this directory gives it the same group ownership as the directory, as in the following example: $ touch testfile.txt $ ls -al total 8 drwxrws--- 2 ts top-secret 112 2005-07-04 16:06 . drwxr-xr-x 8 root root 184 2005-07-04 15:57 .. -rw-r--r-- 1 wvh top-secret 0 2005-07-04 16:06 testfile.txt -rw-rw-r-- 1 wvh top-secret 5386 2005-07-04 16:02 wmd_overview.sxw Because of the umask settings discussed earlier, this file was created with a mode that made it both user- and group-writable, which is exactly what you want. As you can see, Unix groups provide a useful and flexible mechanism for enabling users to share access to selected files and directories. They work in the same way on every modern Unix system, and thus provide a portable and standard protection mechanism. 5.8.4. See Also
|
EAN: 2147483647
Pages: 162