|
Home > Archive > Unix questions > March 2005 > Directory/File Access
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Directory/File Access
|
|
| RESgrignoli 2005-02-02, 5:56 pm |
| Question about directories/files, ownerships and permissions.....
Example Directory Structure:
/dir1/dir2/dir3/dir4/dir5/dir6/dir7/dir8/file
Vital Data:
DIRECTORY PERMS OWNERSHIP
/dir1 555 root:root
....dir2 775 root:root
....dir3 775 per1:grp1
....dir4 775 per2:grp1
....dir5 775 per2:grp2
....dir6 775 per1:grp3
....dir7 555 per1:grp3
....dir8 775 per1:grp3
Person3 ("per3") has a primary group of "staff" and also belongs to
secondary groups of "grp2" and "grp3" but is NOT a member of "grp1".
Person3 ("per3") is able to "cd" to each of the directory levels from
/dir1 all the way down to /dir8. This makes sense due to each
directory having "x" (execute) access.
I can understand why (based on the above perms and ownerships) that
Person3 is NOT able to touch a file in /dir1 thru /dir4 and also in
/dir7 by virtue of NOT being the owner and EITHER not belong to the
GROUP OR not having write access.
Person3 ("per3") is ONLY able to "touch" a file within /dir8.....It is
clear why Person3 IS able to "touch" a file in /dir8 due to being a
member of "grp3" AND having group permissions wide open.
However...
Person3 does not seem to have the ability to "touch" a file in /dir5 or
/dir6 for some reason, even though she is a member of "grp2" and "grp3"
AND the group permissions are also wide open.
What may be the cause of the last situation?
Thanks.
| |
| Greg Beeker 2005-02-03, 5:53 pm |
| What are the permissions on the file she does not have the ability to
touch?
| |
| Greg Beeker 2005-02-03, 5:53 pm |
|
RESgrignoli wrote:
> Question about directories/files, ownerships and permissions.....
>
> Example Directory Structure:
> /dir1/dir2/dir3/dir4/dir5/dir6/dir7/dir8/file
A side note: why is the structure so deep?
>
> Vital Data:
> DIRECTORY PERMS OWNERSHIP
> /dir1 555 root:root
> ...dir2 775 root:root
> ...dir3 775 per1:grp1
> ...dir4 775 per2:grp1
> ...dir5 775 per2:grp2
> ...dir6 775 per1:grp3
> ...dir7 555 per1:grp3
> ...dir8 775 per1:grp3
>
> Person3 ("per3") has a primary group of "staff" and also belongs to
> secondary groups of "grp2" and "grp3" but is NOT a member of "grp1".
>
> Person3 ("per3") is able to "cd" to each of the directory levels from
> /dir1 all the way down to /dir8. This makes sense due to each
> directory having "x" (execute) access.
>
> I can understand why (based on the above perms and ownerships) that
> Person3 is NOT able to touch a file in /dir1 thru /dir4 and also in
> /dir7 by virtue of NOT being the owner and EITHER not belong to the
> GROUP OR not having write access.
>
> Person3 ("per3") is ONLY able to "touch" a file within /dir8.....It
is
> clear why Person3 IS able to "touch" a file in /dir8 due to being a
> member of "grp3" AND having group permissions wide open.
>
> However...
>
> Person3 does not seem to have the ability to "touch" a file in /dir5
or
> /dir6 for some reason, even though she is a member of "grp2" and
"grp3"
> AND the group permissions are also wide open.
> What may be the cause of the last situation?
Generally, file and directory permissions are tricky to understand, and
it seems you have a good start.
I'd say you have a file permission issue, but I can't say for sure
until I see the file permissions that she is trying to touch.
For example: -rw-r----- 1 root staff 2960 Dec 13 2000
x0040
| |
| RESgrignoli 2005-02-20, 6:19 pm |
| I guess I should clarify what I mean by "touch". In this particular
case, the file does NOT yet exist; therefore, when one touches a file,
it is essentially the same as "cat /dev/null > filename". That being
said, the permissions and ownerships of the directories above AND that
which holds the file are already provided.
To further clarify (in case anyone asks), it is not the intention for
the user to "simply" touch an empty file, but only serves as an
example. The person is actually attempting to create a file in the
directory WITH DATA.
Richard
Greg Beeker wrote:
> RESgrignoli wrote:
> A side note: why is the structure so deep?
"grp1".[vbcol=seagreen]
from[vbcol=seagreen]
> is
/dir5[vbcol=seagreen]
> or
> "grp3"
>
> Generally, file and directory permissions are tricky to understand,
and
> it seems you have a good start.
>
> I'd say you have a file permission issue, but I can't say for sure
> until I see the file permissions that she is trying to touch.
> For example: -rw-r----- 1 root staff 2960 Dec 13 2000
> x0040
| |
| RESgrignoli 2005-02-20, 6:19 pm |
| As far as why the structure is so deep, we have numerous applications
running on these servers, and because of the nature of the
applications, it is not unusual for their directory structures to be
very detailed. I agree that they sometimes go overboard, but
fortunately I'm just a Solaris Sys Admin and not working within the
applications department, especially WebSphere.
| |
| Greg Beeker 2005-02-21, 5:59 pm |
|
RESgrignoli wrote:
> Question about directories/files, ownerships and permissions.....
>
> Example Directory Structure:
> /dir1/dir2/dir3/dir4/dir5/dir6/dir7/dir8/file
>
> Vital Data:
> DIRECTORY PERMS OWNERSHIP
> /dir1 555 root:root
> ...dir2 775 root:root
> ...dir3 775 per1:grp1
> ...dir4 775 per2:grp1
> ...dir5 775 per2:grp2
> ...dir6 775 per1:grp3
> ...dir7 555 per1:grp3
> ...dir8 775 per1:grp3
>
> Person3 ("per3") has a primary group of "staff" and also belongs to
> secondary groups of "grp2" and "grp3" but is NOT a member of "grp1".
<snip>
> Person3 ("per3") is ONLY able to "touch" a file within /dir8.....It
is
> clear why Person3 IS able to "touch" a file in /dir8 due to being a
> member of "grp3" AND having group permissions wide open.
>
> However...
>
> Person3 does not seem to have the ability to "touch" a file in /dir5
or
> /dir6 for some reason, even though she is a member of "grp2" and
"grp3"
> AND the group permissions are also wide open.
> What may be the cause of the last situation?
>
> Thanks.
I am on an AIX 5.1 system and tried to simulate your problem, with the
following results. I created a user (per3) and the directory structure:
$ ls -ld dir*
dr-xr-xr-x 3 root system 512 Feb 21 17:22 dir1
drwxrwxr-x 2 root system 512 Feb 21 17:23 dir2
drwxrwxr-x 2 root grp1 512 Feb 21 17:23 dir3
drwxrwxr-x 2 root grp1 512 Feb 21 17:23 dir4
drwxrwxr-x 2 root grp2 512 Feb 21 17:26 dir5
drwxrwxr-x 2 root grp3 512 Feb 21 17:29 dir6
dr-xr-xr-x 2 root grp3 512 Feb 21 17:23 dir7
drwxrwxr-x 2 root grp3 512 Feb 21 17:23 dir8
I was able to touch files in both dir5 and dir6:
$ touch dir5/tt
$ touch dir6/tt
$ id
uid=204(per3) gid=1(staff) groups=206(grp2),207(grp3)
It would help if you posted the perms for the dir5 and dir6 like I did,
and also the exact error message you are getting.
I think for the purpose of solving your problem, the structure is not
important, but only the individual directory perms.
| |
| RESgrignoli 2005-03-11, 5:59 pm |
| >From looking at your example, I sense that you are creating "dir1"
"dir2" "dir3" and so on IMMEDIATELY underneath the SAME upper
directory.....however, that is not how I was depicting it.....
According to my first example, the hierarchy was:
/dir1/dir2/dir3/dir4/dir5/dir6=AD/dir7/dir8/file
In other words, "dir1" is subordinate to the ROOT directory....."dir2"
is subordinate to "dir1"....."dir3" is subordinate to "dir2".....and so
on.....
| |
| Greg Beeker 2005-03-14, 5:57 pm |
|
Greg Beeker wrote:
> RESgrignoli wrote:
"grp1".[vbcol=seagreen]
> <snip>
> is
/dir5[vbcol=seagreen]
> or
> "grp3"
>
> I am on an AIX 5.1 system and tried to simulate your problem, with
the
> following results. I created a user (per3) and the directory
structure:
>
> $ ls -ld dir*
> dr-xr-xr-x 3 root system 512 Feb 21 17:22 dir1
> drwxrwxr-x 2 root system 512 Feb 21 17:23 dir2
> drwxrwxr-x 2 root grp1 512 Feb 21 17:23 dir3
> drwxrwxr-x 2 root grp1 512 Feb 21 17:23 dir4
> drwxrwxr-x 2 root grp2 512 Feb 21 17:26 dir5
> drwxrwxr-x 2 root grp3 512 Feb 21 17:29 dir6
> dr-xr-xr-x 2 root grp3 512 Feb 21 17:23 dir7
> drwxrwxr-x 2 root grp3 512 Feb 21 17:23 dir8
>
> I was able to touch files in both dir5 and dir6:
> $ touch dir5/tt
> $ touch dir6/tt
>
> $ id
> uid=204(per3) gid=1(staff) groups=206(grp2),207(grp3)
>
> It would help if you posted the perms for the dir5 and dir6 like I
did,
> and also the exact error message you are getting.
If you are still having a question on the permissions, please post the
perms for dir5 and dir6, and the erorr message.
>
> I think for the purpose of solving your problem, the structure is not
> important, but only the individual directory perms.
| |
| Greg Beeker 2005-03-14, 5:57 pm |
|
RESgrignoli wrote:
> "dir2" "dir3" and so on IMMEDIATELY underneath the SAME upper
> directory.....however, that is not how I was depicting it.....
I know. The only way I can help you, is if you post the exact directory
permissions for the lowest dir (dir8 in your example).
Or post the entire structure if you prefer.
>
> According to my first example, the hierarchy was:
> /dir1/dir2/dir3/dir4/dir5/dir6=AD/dir7/dir8/file
>
> In other words, "dir1" is subordinate to the ROOT
directory....."dir2"
> is subordinate to "dir1"....."dir3" is subordinate to "dir2".....and
so
> on.....
I think for the purpose of solving your problem, the structure is not
important, but only the individual directory perms.
Please post the exact perms, and error message.
|
|
|
|
|