I'm having some trouble understanding the group and user privileges.
So let's say I make a group.. and assign some users to the groups that I made.
How would I --
1) Allow different groups and different users to have full privileges over a file with .X extension
ex. I want user John to be able to read write execute files that end in .dat
ex. I want group Moderators to be able to read write execute files that end in .sh
2) Ban or block certain file names no matter the extension from said user.
ex. I want to ban Harry from any file that has the word MySQL in it
I'm almost certain this has something to do with chmod, but i'm not sure how I can edit permissions to a specific user/group to a file extension or file name.
I know each number in chmod corresponds to OWNER, GROUP, WORLD
But how would I specify what group or person?
I hope you understand what help I'm asking, and I appreciate all your help as always!
Thank you!
EDIT: Now that I think about it.. i would need to use a regular expression to specify what file name or extension, right?
This would change the owner of a file to everyone in a group, or specific user?
But how does this go with blocking a group or users access to a file name or file extension?
This is easily accomplished using chmod, like agn suggested, but not if you want to do this with more than one group or user (to accomplish this see 2.)
This is not possible with the standard Unix group membership mechanism. It is possible with Access Control Lists if your OS supports them, but not in a general policy sense (although it is possible to enforce a default policy on a per directory basis). You would have to use a tool to visit files with such an extension and apply the ACL. You could use something like find or perhaps use a configuration management application.
An alternative to ACL's might be to use sudo to allow groups of users to become a functional user so that they may acquire certain rights that they ordinarily would not have. You can then deny those rights to other (groups of) users .
I will list below the current script; however, I've encountered my last problem.
-I want to make the group BANNED, have no access to the files with .log extension
-I want to make the group WRITEABLE, have write access to the files with .log extension
How can I do that if a file can only be assigned to one group?
I've already assigned the group BANNED to the .log files already, so now i'm stuck with the WRITEABLE group and how I can also assign the group to .log files with BANNED group.
Here is my current script
#Input of new users
echo "Please enter new username"
echo "User 1..."
read newUser1
echo "User 2..."
read newUser2
echo "User 3..."
read newUser3
echo "User 4..."
read newUser4
echo "User 5..."
read newUser5
#Input of new groups
echo "Please enter name of group one"
read group1
echo "Please enter name of group two"
read group2
#creates 2 groups
sudo groupadd $group1
sudo groupadd $group2
#creates first 3 users and adds them to group 1
echo "Assigning users: $newUser1, $newUser2, $newUser3, to group $group1"
sudo useradd -m -s /bin/bash -G $group1 $newUser1
sudo useradd -m -s /bin/bash -G $group1 $newUser2
sudo useradd -m -s /bin/bash -G $group1 $newUser3
#creates last 2 users and adds them to group 2
echo "Assigning users: $newUser4, $newUser5, to group $group2"
sudo useradd -m -s /bin/bash -G $group2 $newUser4
sudo useradd -m -s /bin/bash -G $group2 $newUser5
#creates an extra two groups for BANNED and WRITE-able users
sudo groupadd banned
sudo groupadd writeable
#applies group privileges
sudo chgrp $group1 *.dat
sudo chmod 774 *.dat
sudo chgrp $group2 config*
sudo chmod 774 config*
sudo usermod -G banned $newUser2
sudo usermod -G banned $newUser4
sudo chgrp banned *.log
sudo chmod 704 *.log
sudo usermod -G writeable $newUser3
sudo usermod -G writeable $newUser5 #hm, how can I add the group writeable to *.log, when group banned is already assigned? And how can I give them special permissions?
#applies user privileges
chown $newUser1 *.txt
chmod 771 *.txt
---------- Post updated at 07:52 PM ---------- Previous update was at 07:18 PM ----------
Oh! One way this could be done is just chmod the .log files. Where X= whatever
chmod xx2
However this would be for everyone else, not just the other users or users in WRITEABLE group.
But you probably do not want to do this, since it is highly insecure.
But what do you need the group "banned" for? If for example you control access with a group "allowed" and disallow these rights to other then everyone who is not a member is automatically banned.