Folder Permissions for individual users

[gerald_clark]

Go back and re-read the first answer to your post.

[InitOrNot]

Go back and re-read the first answer to your post.

I went, re-read it, and came back as I was. Perhaps you could be more verbose and less mysterious.

[gerald_clark]

Start with http://www.techbrown.com/linux-acl-acce ... el-7.shtml

[InitOrNot]

Start with http://www.techbrown.com/linux-acl-acce ... el-7.shtml

What has that to do with the first answer to my post?

[gerald_clark]

Read the last sentence of the post.
You can use the command line for ACLs.

[InitOrNot]

Read the last sentence of the post.
You can use the command line for ACLs.

Oh, I see what you mean.

But that is not the first answer to my post, instead it is the first answer to the OP.

[InitOrNot]

Hi all, thanks for all the replies. I can understand the logic in creating an ICT group and adding Jayne to it which then gives me the ability to add Anne to it at a later stage. That would certainly work for what we have now but there is one scenario that I'm pretty sure will crop up in the near future..

Folder 'Payroll'.
the 10 members of the 'Accounts' group have full r/w access to it.
There is a subfolder called 'Managers Expenses'

Mike & Neil need r/w access to this subfolder but they cannot be added into the 'Accounts' group because 99% of the stuff in that 'Payroll' folder is too sensitive for them. In Windows, its possible to have a combination of multiple users and/or groups given all kinds of permissions at the same time. Does CentoS offer something to accomodate this?

If not I don't think it would be the end of the world, I'd just have to possibly locate the folder elsewhere but its just good to know so I dont' mess around unnecessarily.

Thanks
John

That folder structure matched with those permission requirements you are now describing, relating to Payroll, just do not lend themselves easily to the traditional UNIX permissions scheme. The solutions I see are:

1. Change the folder structure, and do not put the "Managers Expenses" folder inside the "Payroll" folder. That's the easy, straight forward solution which I recommend.
2. Play with fire and set only the "execute" bit to "others" in the "Payroll" folder (this allows "others" traversing that folder without having the permission to read its contents), like this:

   Code: Select all

   Payroll, drwxrwx--x (771), owner-user Accounts-group
          (subfolder) Managers_Expenses, drwxrwx--- (770), owner-user managers-expenses-group

   Where you would have to make sure Mike, Neil, and all the 10 members of the 'Accounts' group are individually added to the "manager-expenses-group". I do not recommend this approach, because as you can see it is fragile, not self-documenting, and has a high maintenance cost whenever new people is added or removed from your Organization's Departments (because the traditional UNIX permissions scheme does not allow for nested groups, i.e., a group to be member of another group).
3. Use ACL, which are possible in CentOS but according to the post of user "chemal" in this thread there is not GUI out-of-the-box for managing them (I do not know, I run my servers in text-only mode). And I do not recommend you go fishing through the Intertubes for a RPM package with a pre-compiled version of the graphical tool to manage ACL in CentOS, nor I recommend you to compile it yourself from source code, unless you know damn well what you are doing.
4. Use Windows as file server, which has a native graphical tool to manage ACL.

[giulix63]

• Use ACL, which are possible in CentOS but according to the post of user "chemal" in this thread there is not GUI out-of-the-box for managing them (I do not know, I run my servers in text-only mode). And I do not recommend you go fishing through the Intertubes for a RPM package with a pre-compiled version of the graphical tool to manage ACL in CentOS, nor I recommend you to compile it yourself from source code, unless you know damn well what you are doing.

You can submit a request to Nux's repo. Repackaging from F22 source RPM is trivial. Only problem is gtkmm 3.12 is required, whereas C7 provides 3.8 only, but that just affects a cosmetic issue. Of course that will mean you get to test it on C7 (I am talking about eiciel, btw)...

[johncassell]

Hi, thanks again for the replies. I've read through them and am going to take this piece of advice from InitOrNot

1.Change the folder structure, and do not put the "Managers Expenses" folder inside the "Payroll" folder. That's the easy, straight forward solution which I recommend.

As it doesn't seem really straight forward (although possible), I'm going to keep it as simple - as I'm new to Linux and still grappling with the basics. It may never turn out that we need a 'Managers Expenses' scenario but if we do then I will discuss with users the best place to put that to keep the security simple. If they insist on it being a subfolder then I have your replies to come back to and will look more closely at the alternative options.

Once again thank you for your replies, they are really appreciated and would like to add that one of the worries I had was a lack of support for a Linux system but I've been really impressed so far with the help offered on this site.

Thanks
John