we want to allow user to FTP files into a directory, and then the program (PLSQL) will read and process the file, and then move the file to other directory for archiving.
the user id: uftp1, group: ftp
the program run in oracle database, thus have the user Id: oraprod, group: dba
how to configure the directory so that the directory, and all subsequences files FTP by user are both read-able and write-able by both user id: (uftp1, and oraprod) ?
Hi,
you may think to put user oraprod in ftp group as secondary group, then make the content of the directory where ftp-ed files are stores r/w for ftp group (you meay also think to create a new group, to which both users belong, and assign r/w privs to this group in the said directory).
Should be able to use usermod -G to assign users to additional groups (check man pages anyway).
see ya
fra
Making the user uftp1 a member of dba or oraprod a member of ftp may lead to security hole as either way will open the door for the uftp1 or the oraprod user to have access to the resources which ftp or dba is the owner of.
Creating a separate group for uftp1 and oraprod is a better approach.
But the best approach in terms of security in this scenario would be to make use of ACL and SGID bit. I will explain the approach here:
chown oraprod:dba /u01
chmod 770 /u01
chmod g+s /u01
For ZFS:
chmod A+user:uftp1:add_file/write_data/read_data/execute:allow /u01
ls -ldv /u01 ## to verify the ACL
For UFS:
setfacl -m u:uftp1:rwx /u01
getfacl /u01 ## to verify the ACL
That's it and you are all setup.