set-GID for collaboration sticky bit

By OK -
additional permission

  1. set user id
  2. set group id
  3. sticky bit

SGID - group ownership of directory is inherited to items created inside
sticky bit - user can delete only file created by himself or user is owner of directory
with sticky bit you can remove file if you are
a) owner of directory
b) owner of file
===========
usermod lisa -aG sales
usermod lisa -G sales - will override secondary group assignments

===========
[linda@localhost sales]$ ls -lart
total 0
drwxr-xr-x. 3 root  root  19 Oct 15 09:29 ..
-rw-rw-r--. 1 linda linda  0 Oct 15 09:32 linda1
-rw-rw-r--. 1 linda linda  0 Oct 15 09:32 linda3
-rw-rw-r--. 1 linda linda  0 Oct 15 09:32 linda2
drwxrwx---. 2 root  sales 48 Oct 15 09:32 .
[linda@localhost sales]$ 
===========
user lisa from the same group sales cannot modify files created by user linda
===========
[root@localhost test]# chmod g+s sales/
[root@localhost test]# ls -lart
total 4
dr-xr-xr-x. 25 root root  4096 Oct 14 16:34 ..
drwxr-xr-x.  3 root root    19 Oct 15 09:29 .
drwxrws---.  2 root sales   48 Oct 15 09:32 sales
[root@localhost test]#
============
[root@localhost test]# cd sales/;touch root{1..2}
[root@localhost sales]# ls -lart
total 0
drwxr-xr-x. 3 root  root  19 Oct 15 09:29 ..
-rw-rw-r--. 1 linda linda  0 Oct 15 09:32 linda1
-rw-rw-r--. 1 linda linda  0 Oct 15 09:32 linda3
-rw-rw-r--. 1 linda linda  0 Oct 15 09:32 linda2
-rw-r--r--. 1 root  sales  0 Oct 15 09:34 root2
-rw-r--r--. 1 root  sales  0 Oct 15 09:34 root1
drwxrws---. 2 root  sales 74 Oct 15 09:34 .
[root@localhost sales]# 
=============
[root@localhost sales]# su - linda
Last login: Sun Oct 15 09:31:44 EDT 2017 on pts/0
[linda@localhost ~]$ cd /test/sales/
[linda@localhost sales]$ touch linda4
[linda@localhost sales]$ ls -lart
total 0
drwxr-xr-x. 3 root  root  19 Oct 15 09:29 ..
-rw-rw-r--. 1 linda linda  0 Oct 15 09:32 linda1
-rw-rw-r--. 1 linda linda  0 Oct 15 09:32 linda3
-rw-rw-r--. 1 linda linda  0 Oct 15 09:32 linda2
-rw-r--r--. 1 root  sales  0 Oct 15 09:34 root1
-rw-rw-r--. 1 linda sales  0 Oct 15 09:37 linda4
drwxrws---. 2 root  sales 75 Oct 15 09:37 .
[linda@localhost sales]$ ls -d
.
[linda@localhost sales]$ ls -ladrt
drwxrws---. 2 root sales 75 Oct 15 09:37 .
[linda@localhost sales]$ 
=============
lisa can delete linda's files because lisa is member of group sales which has write permissions on  directory

[linda@localhost sales]$ su - lisa
Password:
[lisa@localhost ~]$ cd /test/sales/
[lisa@localhost sales]$ rm -f linda*
[lisa@localhost sales]$ ls -lart
total 0
drwxr-xr-x. 3 root root  19 Oct 15 09:29 ..
-rw-r--r--. 1 root sales  0 Oct 15 09:34 root1
drwxrws---. 2 root sales 19 Oct 15 09:38 .
[lisa@localhost sales]$
=============
in order to prevent delete linda's files by lisa, we need sticky bit
=============
[root@localhost sales]# chmod +t .
[root@localhost sales]# ls -lartd
drwxrws--T. 2 root sales 19 Oct 15 09:38 .
[root@localhost sales]#

owner of the sales directory is root, not sales group

[lisa@localhost sales]$ echo text >> linda1
[lisa@localhost sales]$ cat linda1
text
[lisa@localhost sales]$ rm -f linda1
rm: cannot remove ‘linda1’: Operation not permitted





Comments

Post a Comment

Popular posts from this blog

HAproxy logging

By OK -
ubuntu@ubuntu:/etc/haproxy$ cat /etc/rsyslog.d/haproxy.conf # Create an additional socket in haproxy's chroot in order to allow logging via # /dev/log to chroot'ed HAProxy processes $ModLoad imudp $UDPServerRun 514 local0.* -/var/log/haproxy-0.log local1.* -/var/log/haproxy-1.log ### keep logs in localhost ## $AddUnixListenSocket /var/lib/haproxy/dev/log ------------------- ubuntu@ubuntu:/etc/haproxy$ cat /etc/haproxy/haproxy.cfg global chroot /var/lib/haproxy user haproxy group haproxy log 127.0.0.1   local0         log 127.0.0.1   local1 notice daemon frontend www     bind 192.168.40.128:8282    # haproxy public IP     default_backend as-backend    # backend used backend as-backend    balance leastconn    mode http  server as1 192.168.40.128:8082 check    # application srv 1 defaults log ...
Read more

teamcity Automatic Agent Start under Linux

By OK -
Automatic Agent Start under Linux To run agent automatically on the machine boot under Linux, configure daemon process with the  agent.sh start  command to start it and  agent.sh stop  command to stop it. Refer to an example procedure below: 1. Navigate to the services start/stop services scripts directory: cd /etc/init.d/ 2. Open the build agent service script: sudo vim buildAgent 3. Paste the following into the file : #!/bin/sh ### BEGIN INIT INFO # Provides: TeamCity Build Agent # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start build agent daemon at boot time # Description: Enable service provided by daemon. ### END INIT INFO #Provide the correct user name: USER="agentuser" case "$1" in start) su - $USER -c "cd BuildAgent/bin ; ./agent.sh start" ;; stop) su - $USER -c "cd BuildAgent/bin ; ./agent....
Read more

NFS mount add in fstab _netdev instead of default | firewall-cmd --list-all

By OK -
Redhat recommends us to add  _netdev  option for NFS file system in /etc/fstab. So that they can be mounted after starting the networking service. Alternative ways to refer to partitions: Label : LABEL=label Network ID Samba : //server/share NFS : server:/share SSHFS : sshfs#user@server:/share Device : /dev/sdxy (not recommended) Example #1 //192.168.1.134/share_name /mnt/share_name cifs username=server_user,password=server_password,_netdev 0 0 ^ Path to your share ^ Mountpoint ^ Username ^ Password ^ See note A Note A: The  _netdev  options makes sure the mount is only attempted AFTER a network connection has been established. Example #2 10.10.10.1:/vol1/fs1 /data nfs defaults,_netdev 0 0 ============================ [root@localhost ~]# firewall-cmd --list-all public   target: default   icmp-block-inversion: no   interfaces:   sources:   services: dhcpv6-client high-availabi...
Read more