ch22_14.htm

the unix power tools

<HTML
><!--Distributed by F --><HEAD
><TITLE
>[Chapter 22] 22.14 Add Users to a Group to Deny Permission </TITLE
><META
NAME="DC.title"
CONTENT="UNIX Power Tools"><META
NAME="DC.creator"
CONTENT="Jerry Peek, Tim O'Reilly &amp; Mike Loukides"><META
NAME="DC.publisher"
CONTENT="O'Reilly &amp; Associates, Inc."><META
NAME="DC.date"
CONTENT="1998-08-04T21:40:35Z"><META
NAME="DC.type"
CONTENT="Text.Monograph"><META
NAME="DC.format"
CONTENT="text/html"
SCHEME="MIME"><META
NAME="DC.source"
CONTENT="1-56592-260-3"
SCHEME="ISBN"><META
NAME="DC.language"
CONTENT="en-US"><META
NAME="generator"
CONTENT="Jade 1.1/O'Reilly DocBook 3.0 to HTML 4.0"><LINK
REV="made"
HREF="mailto:online-books@oreilly.com"
TITLE="Online Books Comments"><LINK
REL="up"
HREF="ch22_01.htm"
TITLE="22. File Security, Ownership, and Sharing"><LINK
REL="prev"
HREF="ch22_13.htm"
TITLE="22.13 Groups and Group Ownership "><LINK
REL="next"
HREF="ch22_15.htm"
TITLE="22.15 Juggling Permissions "></HEAD
><BODY
BGCOLOR="#FFFFFF"
TEXT="#000000"
><DIV
CLASS="htmlnav"
><H1
><IMG
SRC="gifs/smbanner.gif"
ALT="UNIX Power Tools"
USEMAP="#srchmap"
BORDER="0"></H1
><MAP
NAME="srchmap"
><AREA
SHAPE="RECT"
COORDS="0,0,466,58"
HREF="index.htm"
ALT="UNIX Power Tools"><AREA
SHAPE="RECT"
COORDS="467,0,514,18"
HREF="jobjects/fsearch.htm"
ALT="Search this book"></MAP
><TABLE
WIDTH="515"
BORDER="0"
CELLSPACING="0"
CELLPADDING="0"
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="172"
><A
CLASS="SECT1"
HREF="ch22_13.htm"
TITLE="22.13 Groups and Group Ownership "
><IMG
SRC="gifs/txtpreva.gif"
SRC="gifs/txtpreva.gif"
ALT="Previous: 22.13 Groups and Group Ownership "
BORDER="0"></A
></TD
><TD
ALIGN="CENTER"
VALIGN="TOP"
WIDTH="171"
><B
><FONT
FACE="ARIEL,HELVETICA,HELV,SANSERIF"
SIZE="-1"
>Chapter 22<BR>File Security, Ownership, and Sharing</FONT
></B
></TD
><TD
ALIGN="RIGHT"
VALIGN="TOP"
WIDTH="172"
><A
CLASS="SECT1"
HREF="ch22_15.htm"
TITLE="22.15 Juggling Permissions "
><IMG
SRC="gifs/txtnexta.gif"
SRC="gifs/txtnexta.gif"
ALT="Next: 22.15 Juggling Permissions "
BORDER="0"></A
></TD
></TR
></TABLE
>&nbsp;<HR
ALIGN="LEFT"
WIDTH="515"
TITLE="footer"></DIV
><DIV
CLASS="SECT1"
><H2
CLASS="sect1"
><A
CLASS="title"
NAME="UPT-ART-0295"
>22.14 Add Users to a Group to Deny Permission </A
></H2
><P
CLASS="para"
><A
CLASS="indexterm"
NAME="AUTOID-24551"
></A
><A
CLASS="indexterm"
NAME="AUTOID-24554"
></A
>Usually, UNIX
<SPAN
CLASS="link"
>group access (<A
CLASS="linkend"
HREF="ch22_13.htm"
TITLE="Groups and Group Ownership "
>22.13</A
>)</SPAN
>
allows a group of users to access a directory or file that they couldn't
otherwise access.
You can turn this around, though, with groups that <EM
CLASS="emphasis"
>deny</EM
> permission.</P
><BLOCKQUOTE
CLASS="note"
><P
CLASS="para"
><STRONG
>NOTE:</STRONG
> This trick works only on UNIX systems, like BSD, that let a user belong to
more than one group at the same time.</P
></BLOCKQUOTE
><P
CLASS="para"
>For example, you might work on a computer that has some proprietary
files and software that three &quot;guest&quot; accounts shouldn't be able to use.
Everyone else on the computer should have access.
To do this, put the software in a directory owned by a group named
something like <EM
CLASS="emphasis"
>deny</EM
>.
Then use <EM
CLASS="emphasis"
>chmod</EM
> to deny permission to that group:</P
><P
CLASS="para"
><BLOCKQUOTE
CLASS="screen"
><PRE
CLASS="screen"
># <CODE
CLASS="userinput"
><B
>chmod 705 /usr/local/somedir</B
></CODE
>
# <CODE
CLASS="userinput"
><B
>ls -lgd /usr/local/somedir</B
></CODE
>
drwx--r-x  2     root   deny        512  Mar 26 12:14 /usr/local/somedir</PRE
></BLOCKQUOTE
></P
><P
CLASS="para"
>Finally, add the guest accounts to the <EM
CLASS="emphasis"
>deny</EM
> group (in the
<EM
CLASS="emphasis"
>/etc/group</EM
> file).</P
><P
CLASS="para"
>UNIX checks permissions in the order <EM
CLASS="emphasis"
>user</EM
>-<EM
CLASS="emphasis"
>group</EM
>-<EM
CLASS="emphasis"
>other</EM
>.
The first applicable permission is the one used, even if it denies
permission rather than grant it.
In this case, none of the guest accounts are <EM
CLASS="emphasis"
>root</EM
> (we hope! <CODE
CLASS="literal"
>:-)</CODE
>).
They're members of the group called <EM
CLASS="emphasis"
>deny</EM
>, however&nbsp;- so that permission
(<CODE
CLASS="literal"
>---</CODE
>) is checked and the group members are shut out.
Other users who aren't members of <EM
CLASS="emphasis"
>deny</EM
> are checked for
&quot;other&quot; access (<CODE
CLASS="literal"
>r-x</CODE
>); they can get into the directory.</P
><P
CLASS="para"
>The same setup works for individual files (like programs).
Just be careful about changing system programs that are
<SPAN
CLASS="link"
>SUID or SGID (<A
CLASS="linkend"
HREF="ch01_23.htm"
TITLE="File Access Permissions "
>1.23</A
>)</SPAN
>.</P
><DIV
CLASS="sect1info"
><P
CLASS="SECT1INFO"
>- <SPAN
CLASS="authorinitials"
>JP</SPAN
>, <SPAN
CLASS="authorinitials"
>JIK</SPAN
></P
></DIV
></DIV
><DIV
CLASS="htmlnav"
><P
></P
><HR
ALIGN="LEFT"
WIDTH="515"
TITLE="footer"><TABLE
WIDTH="515"
BORDER="0"
CELLSPACING="0"
CELLPADDING="0"
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="172"
><A
CLASS="SECT1"
HREF="ch22_13.htm"
TITLE="22.13 Groups and Group Ownership "
><IMG
SRC="gifs/txtpreva.gif"
SRC="gifs/txtpreva.gif"
ALT="Previous: 22.13 Groups and Group Ownership "
BORDER="0"></A
></TD
><TD
ALIGN="CENTER"
VALIGN="TOP"
WIDTH="171"
><A
CLASS="book"
HREF="index.htm"
TITLE="UNIX Power Tools"
><IMG
SRC="gifs/txthome.gif"
SRC="gifs/txthome.gif"
ALT="UNIX Power Tools"
BORDER="0"></A
></TD
><TD
ALIGN="RIGHT"
VALIGN="TOP"
WIDTH="172"
><A
CLASS="SECT1"
HREF="ch22_15.htm"
TITLE="22.15 Juggling Permissions "
><IMG
SRC="gifs/txtnexta.gif"
SRC="gifs/txtnexta.gif"
ALT="Next: 22.15 Juggling Permissions "
BORDER="0"></A
></TD
></TR
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="172"
>22.13 Groups and Group Ownership </TD
><TD
ALIGN="CENTER"
VALIGN="TOP"
WIDTH="171"
><A
CLASS="index"
HREF="index/idx_0.htm"
TITLE="Book Index"
><IMG
SRC="gifs/index.gif"
SRC="gifs/index.gif"
ALT="Book Index"
BORDER="0"></A
></TD
><TD
ALIGN="RIGHT"
VALIGN="TOP"
WIDTH="172"
>22.15 Juggling Permissions </TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="515"
TITLE="footer"><IMG
SRC="gifs/smnavbar.gif"
SRC="gifs/smnavbar.gif"
USEMAP="#map"
BORDER="0"
ALT="The UNIX CD Bookshelf Navigation"><MAP
NAME="map"
><AREA
SHAPE="RECT"
COORDS="0,0,73,21"
HREF="../index.htm"
ALT="The UNIX CD Bookshelf"><AREA
SHAPE="RECT"
COORDS="74,0,163,21"
HREF="index.htm"
ALT="UNIX Power Tools"><AREA
SHAPE="RECT"
COORDS="164,0,257,21"
HREF="../unixnut/index.htm"
ALT="UNIX in a Nutshell"><AREA
SHAPE="RECT"
COORDS="258,0,321,21"
HREF="../vi/index.htm"
ALT="Learning the vi Editor"><AREA
SHAPE="RECT"
COORDS="322,0,378,21"
HREF="../sedawk/index.htm"
ALT="sed &amp; awk"><AREA
SHAPE="RECT"
COORDS="379,0,438,21"
HREF="../ksh/index.htm"
ALT="Learning the Korn Shell"><AREA
SHAPE="RECT"
COORDS="439,0,514,21"
HREF="../lrnunix/index.htm"
ALT="Learning the UNIX Operating System"></MAP
></DIV
></BODY
></HTML
>