home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  

UNIX Power Tools

UNIX Power ToolsSearch this book
Previous: 22.13 Groups and Group Ownership Chapter 22
File Security, Ownership, and Sharing
Next: 22.15 Juggling Permissions

22.14 Add Users to a Group to Deny Permission

Usually, UNIX group access (22.13 ) allows a group of users to access a directory or file that they couldn't otherwise access. You can turn this around, though, with groups that deny permission.

NOTE: This trick works only on UNIX systems, like BSD, that let a user belong to more than one group at the same time.

For example, you might work on a computer that has some proprietary files and software that three "guest" accounts shouldn't be able to use. Everyone else on the computer should have access. To do this, put the software in a directory owned by a group named something like deny . Then use chmod to deny permission to that group:

# chmod 705 /usr/local/somedir

# ls -lgd /usr/local/somedir

drwx--r-x  2     root   deny        512  Mar 26 12:14 /usr/local/somedir

Finally, add the guest accounts to the deny group (in the /etc/group file).

UNIX checks permissions in the order user -group -other . The first applicable permission is the one used, even if it denies permission rather than grant it. In this case, none of the guest accounts are root (we hope! :-) ). They're members of the group called deny , however - so that permission (--- ) is checked and the group members are shut out. Other users who aren't members of deny are checked for "other" access (r-x ); they can get into the directory.

The same setup works for individual files (like programs). Just be careful about changing system programs that are SUID or SGID (1.23 ) .

- JP , JIK

Previous: 22.13 Groups and Group Ownership UNIX Power Tools Next: 22.15 Juggling Permissions
22.13 Groups and Group Ownership Book Index 22.15 Juggling Permissions

The UNIX CD Bookshelf NavigationThe UNIX CD BookshelfUNIX Power ToolsUNIX in a NutshellLearning the vi Editorsed & awkLearning the Korn ShellLearning the UNIX Operating System