22.14 Add Users to a Group to Deny PermissionUsually, UNIX group access ( 22.13 ) allows a group of users to access a directory or file that they couldn't otherwise access. You can turn this around, though, with groups that deny permission.
For example, you might work on a computer that has some proprietary files and software that three "guest" accounts shouldn't be able to use. Everyone else on the computer should have access. To do this, put the software in a directory owned by a group named something like deny . Then use chmod to deny permission to that group:
# Finally, add the guest accounts to the deny group (in the /etc/group file).
UNIX checks permissions in the order
user
-
group
-
other
.
The first applicable permission is the one used, even if it denies
permission rather than grant it.
In this case, none of the guest accounts are
root
(we hope! The same setup works for individual files (like programs). Just be careful about changing system programs that are SUID or SGID ( 1.23 ) . - , |
|