Hello Everyone,
A long time back there was discussion over setuid/setgid and how its been
replaced by Capabilities (This is what i understood from the
archives...please correct me if im wrong).
I'd like to know the possibility of using setgid for users to switch their
groups and work as a member of a particular group. Essentially, if i want
one user, who belongs to groups X, Y and Z to create a file as a member of
group Y while he's logged on as a member of group X, would it be possible
through setgid() ?
would i need to change all programs that need this capability ?
or is there a way in the kernel do achieve this ?
Can i use capabilities in some way to achieve this ?
Any pointers would be really helpful. i don't mind reading up on heavy
documentation, if i only know where to look.
Also, im not subscribed to this list, so I'd appreciate it if replies
could be CC'd to [email protected]. If there's any other information
that I should provide to clarify my question, please let me know.
Thanks !
regards,
Gami
--
Dhruv Gami
http://d10systems.com
http://d10systems.com/gami
On Thursday 08 April 2004 04:46, Dhruv Gami wrote:
> Hello Everyone,
>
> A long time back there was discussion over setuid/setgid and how its been
> replaced by Capabilities (This is what i understood from the
> archives...please correct me if im wrong).
>
> I'd like to know the possibility of using setgid for users to switch their
> groups and work as a member of a particular group. Essentially, if i want
> one user, who belongs to groups X, Y and Z to create a file as a member of
> group Y while he's logged on as a member of group X, would it be possible
> through setgid() ?
it is possible through chmod
--
vda
On Thu, 8 Apr 2004, Denis Vlasenko wrote:
> On Thursday 08 April 2004 04:46, Dhruv Gami wrote:
> > I'd like to know the possibility of using setgid for users to switch their
> > groups and work as a member of a particular group. Essentially, if i want
> > one user, who belongs to groups X, Y and Z to create a file as a member of
> > group Y while he's logged on as a member of group X, would it be possible
> > through setgid() ?
>
> it is possible through chmod
but that would be an explicit way of doing it, right ? I'm looking for
doing this via some system calls or something transparent to the user. At
most I'd like to query the user for the group as which he wants to work.
Which would essentially be a question I ask at login or beginning of a
session.
regards,
Gami
--
Dhruv Gami
D10 Systems
http://d10systems.com
http://d10systems.com/gami
In article <[email protected]>,
Dhruv Gami <[email protected]> wrote:
>On Thu, 8 Apr 2004, Denis Vlasenko wrote:
>
>> On Thursday 08 April 2004 04:46, Dhruv Gami wrote:
>> > I'd like to know the possibility of using setgid for users to switch their
>> > groups and work as a member of a particular group. Essentially, if i want
>> > one user, who belongs to groups X, Y and Z to create a file as a member of
>> > group Y while he's logged on as a member of group X, would it be possible
>> > through setgid() ?
>>
>> it is possible through chmod
>
>but that would be an explicit way of doing it, right ? I'm looking for
>doing this via some system calls or something transparent to the user. At
>most I'd like to query the user for the group as which he wants to work.
>Which would essentially be a question I ask at login or beginning of a
>session.
"man newgrp(1)".
Mike.
On Wednesday 07 April 2004 22:06, Dhruv Gami wrote:
> On Thu, 8 Apr 2004, Denis Vlasenko wrote:
> > On Thursday 08 April 2004 04:46, Dhruv Gami wrote:
> > > I'd like to know the possibility of using setgid for users to switch
> > > their groups and work as a member of a particular group. Essentially,
> > > if i want one user, who belongs to groups X, Y and Z to create a file
> > > as a member of group Y while he's logged on as a member of group X,
> > > would it be possible through setgid() ?
> >
> > it is possible through chmod
>
> but that would be an explicit way of doing it, right ? I'm looking for
> doing this via some system calls or something transparent to the user. At
> most I'd like to query the user for the group as which he wants to work.
> Which would essentially be a question I ask at login or beginning of a
> session.
You want the "newgrp" utility.
>From the manpage:
Newgrp changes the group identification of its caller, analogously to
login(1). The same person remains logged in, and the current directory
is unchanged, but calculations of access permissions to files are per-
formed with respect to the new group ID.
If no group is specified, the GID is changed to the login GID.
Dhruv Gami writes:
> On Thu, 8 Apr 2004, Denis Vlasenko wrote:
>> On Thursday 08 April 2004 04:46, Dhruv Gami wrote:
>>> I'd like to know the possibility of using setgid for users
>>> to switch their groups and work as a member of a particular
>>> group. Essentially, if i want one user, who belongs to
>>> groups X, Y and Z to create a file as a member of group Y
>>> while he's logged on as a member of group X, would it be
>>> possible through setgid() ?
>>
>> it is possible through chmod
>
> but that would be an explicit way of doing it, right ?
> I'm looking for doing this via some system calls or something
> transparent to the user. At most I'd like to query the user
> for the group as which he wants to work. Which would
> essentially be a question I ask at login or beginning of a
> session.
I think you need user-private groups and setgid directories.
First of all, ensure that each user has a group of
their own. Do NOT put all users into a "users" group.
So user "gami" would be in group "gami", or maybe
a "gami_group" group if you prefer. Have the home
directories owned by these groups.
Second, set the umask to allow group write access.
(this is why you need the user-private groups)
Now suppose you have two users, bill and tom,
who need to work together on the spamming project.
Create a group called "spamming". Create a project
directory /projects/spamming owned by root and
in the spamming group. Make this directory setgid
and group writable. Any files created in this
directory will be owned by the spamming group.
Due to the umask setting, permissions on these
new files will allow access by all group members.
The setgid bit will propagate to any newly created
directories, but not to newly created files.
> I think you need user-private groups and setgid directories.
>
> First of all, ensure that each user has a group of
> their own. Do NOT put all users into a "users" group.
> So user "gami" would be in group "gami", or maybe
> a "gami_group" group if you prefer. Have the home
> directories owned by these groups.
>
> Second, set the umask to allow group write access.
> (this is why you need the user-private groups)
>
> Now suppose you have two users, bill and tom,
> who need to work together on the spamming project.
> Create a group called "spamming". Create a project
> directory /projects/spamming owned by root and
> in the spamming group. Make this directory setgid
> and group writable. Any files created in this
> directory will be owned by the spamming group.
> Due to the umask setting, permissions on these
> new files will allow access by all group members.
> The setgid bit will propagate to any newly created
> directories, but not to newly created files.
>
that must be the fine-grained control _i_ was after!! thank you... and we
thought mandrake was a little stupid for doing new users that way... neural
oops
--
Rob Couto [[email protected]]
Rules for computing success:
1) Attitude is no substitute for competence.
2) Ease of use is no substitute for power.
3) Safety matters; use a static-free hammer.
--