There is, however, a much more flexible solution that you can manage yourself. Our filesystems support ACLs (Access Control Lists), which you can manage with the commands "getfacl" and "setfacl". What ACLs allow you to do is specify arbitrarily-fine-grained access control on a per-file or per-directory basis. So you could give, say, ravi and kumar "rwx" access to the file, but deny access to everybody else without ravi and kumar being in any Unix groups together.
Here is an example:
#setfacl -r -m user:ravi:rwx tempfile
#setfacl -r -m user:kumar:rwx tempfile
This gives two different users full control of the 'tempfile' file. The -m option means to modify. Using a -s option required complete ACL specifications (easier to use -m). The -r option recalculates the
ACL mask for the file(s).
The 'getfacl tempfile' command produces:
#getfacl tempfile
# file: tempfile
# owner: dl4g
# group: staff
user::rw-
user:kumar:rwx #effective:rwx
user:ravi:rwx #effective:rwx
group::r-- #effective:r--
mask:rwx
other:---
Use on directories with -R to recurse. Reading the man pages may make this seem more complicated, but this simple example and others work perfectly.
Here is an example:
#setfacl -r -m user:ravi:rwx tempfile
#setfacl -r -m user:kumar:rwx tempfile
This gives two different users full control of the 'tempfile' file. The -m option means to modify. Using a -s option required complete ACL specifications (easier to use -m). The -r option recalculates the
ACL mask for the file(s).
The 'getfacl tempfile' command produces:
#getfacl tempfile
# file: tempfile
# owner: dl4g
# group: staff
user::rw-
user:kumar:rwx #effective:rwx
user:ravi:rwx #effective:rwx
group::r-- #effective:r--
mask:rwx
other:---
Use on directories with -R to recurse. Reading the man pages may make this seem more complicated, but this simple example and others work perfectly.
No comments:
Post a Comment