I have a file created by oracle user with permission rw-r--r-- and the parent folder has rwxrwsr-x permission. Now, there is a requirement for batch user to edit this file. But, as you can see, the file can be edited only by the owner i.e Oracle user.
I tried using chmod command to change the permission of the file but batch user is not having permission to execute this command.
Is there any fix for this issue?
Can we do some configuration in UNIX so that it allows batch user to edit the file created by oracle user.
Edit: Corrected the parent folder permission. Earlier i mentioned it as rwxrw-r-x
The directory permissions for 'group' (rw-) are unusual (rwx or r-x would be more usual).
You don't identify which group the file belongs to, nor which group the directory belongs to, nor which group(s) the batch user belongs to, but it probably doesn't matter.
Update after quoted permissions on directory changed: Given that the group can read the file, and create files in the directory, then if your batch user belongs to the group that owns the directory, the batch user can make a copy of the file (in the editor), remove the original file, and write back a new file in the directory.
Does your system support ACLs (access control lists)? If so, then the 'oracle' user as the file owner could grant the batch user read/write access to the file even though the normal Unix permissions don't show that it could happen.
Can you persuade the 'oracle' user to create the file belonging to an appropriate group (one which the batch user also belongs to) and with appropriate group permissions.
If nothing works there, then you are reduced to SUID programs in some shape or form - maybe SUID 'oracle' or SUID 'root'. One option was mentioned in a comment - the sudo command with some vaguely appropriate arguments.
I notice you have the +s bit set on the directory.....
if you change the directory owner to that of the batch user the owner of any newly created files should be owned by that user and you can then do what you want with them
If your batch user is in the same group as the oracle user, you can do this:
chmod g+w filename
This should make the file writable for the group.
Run the UNIX command groups to determine which groups a user is in, or check /etc/passwd, /etc/group
Related
my terminal output
In the posted screenshot you can see that I've created a directory named 'test' and then removed its execute permission to check if I can create a directory or file inside it without this permission.
But to my surprise, I can't create anything inside this 'test' dir despite having write permissions.
Can anyone explain what could be the reason behind this?
A combination of the letters 'ugoa' controls which users' access to the file will be changed: the user who owns it (u), other users in the file's group (g), other users not in the file's group (o), or all users (a).
So in your case u-x :- you have removed permission for user(yourself as you are one who has created the folder) hence it can not create anything inside test folder.
I have a unix shell script file whose owner is "xyz" when run deletes some specific files.
I want to trigger this script to delete files in some other directory where the owner for the files to be deleted is different from the owner of the script. Is this possible? Is this possible to run this script as different user so that it can delete those new files?
EDIT : I use Autosys to periodically trigger this script.
You can chmod the files that need to be deleted first if you have sufficient rights. Afterwards your script, no matter what user it executes, will succeed.
Examples : http://en.wikipedia.org/wiki/Chmod
Usually you use sudo for that:
sudo -u ANOTHER_USER /path/to/the/script.sh
However, your current account needs proper permissions to do so. You can configure those permissions using the file /etc/sudoers.
You'll find a ton of articles out there how to use sudo. This for example: http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:Ch09:_Linux_Users_and_Sudo
I have made a script for installing a control panel.
I've uploaded the script to a server so people can wget it to their machines.
The only issue is that you have to chmod it after download. Is there a way to remove this step? How would I go about keeping 755 perms on the downloaded script?
When a user downloads the file, the file will automatically get some default permission. In UNIX, each user will have a default set of permissions which apply to all files created by that user, unless you explicitly set it to something else.
This default is called the umask, after the command used to change it. It is either inherited from the login process, or set in the .shrc or .login file which configures an individual account, or it can be run manually.
Typically the default configuration is equivalent to typing 'umask 22' which produces permissions of:
-rw-r--r-- for regular files, or
drwxr-xr-x for directories.
In other words, user has full access, everyone else (group and other) has read access to files, lookup access to directories. As you see above, the execution access is not default for files.
Hence you need to explicitly change it.
I have a shared directory. The directory's groupid is dev and many users are members of the group dev.
Now I need to give all the files created under the folder to have the same permission say, rwxrwxr--.
How would I do that? One solution that came to my mind is:
I would need a 2 shell scripts executable by all members of the group. One script should change the umask after checking that the current directory's groupID is dev. The other should change the umask to the previous default value.
Please let me know how to do this in shell script.
You can avoid the use of shell scripts by applying a default POSIX ACL (Access Control List) to the shared directory. e.g. On linux:
setfacl -m d:u::rwx,d:g::rwx,d:o::r,d:g:dev:rwx /shared/dir
The default ACL applied to /shared/dir above overrides the user's umask setting when new files are subsequently created in /shared/dir. The following is cut from the acl(5) man page on linux:
OBJECT CREATION AND DEFAULT ACLs
The access ACL of a file object is initialized when the object is
created
with any of the creat(), mkdir(), mknod(), mkfifo(), or open()
functions.
If a default ACL is associated with a directory, the mode parameter
to
the functions creating file objects and the default ACL of the
directory
are used to determine the ACL of the new object:
The new object inherits the default ACL of the containing directory
as its access ACL.
The access ACL entries corresponding to the file permission
bits are modified so that they contain no permissions that are not
contained
in the permissions specified by the mode parameter.
Create a single shell script to copy files into the shared directory. In that shell script, set the permissions on the file after copying. Make sure the directory has the SGID bit set; all files created in the directory will automatically belong to the group that owns the directory - dev in your scenario. Note that MacOS X effectively always has the SGID bit set on directories; that is, when a file is created, its group is the group that owns the directory.
Chastise anyone who self-evidently does not use the shell script, leaving files with the incorrect permissions.
Worry about whether all files should be executable; documents should not.
Worry about whether all files should be writable; where is the version control system in all this?
(I'd be happier with 444 permissions on the files - except for the few programs where 554 might be sensible.)
The question of the title doesn't seem related to the question in the body, but to answer the question in the title:
id=$( stat -f %g directory )
We have two users:
user1
user2
They both belong to the group 'admin'.
We have a directory that has been set to 775. The directory's group has been changed to 'admin'. Each user has full access to write into that directory, though when a user writes a new file to the directory, the group permissions of the folder are not persisted to the file that was written.
How should we make it so that files inherit the directory's group permissions?
Clarification: when a new file or directory is written, it uses the users' group as the group of the new file, rather than that of the directory, which makes sense - but how do I not make that happen?
You can propagate group permissions by setting the directory's setgid bit (chmod g+s). This may not be portable across all *nixes and all file systems.
http://en.wikipedia.org/wiki/Setuid#setgid_on_directories
http://www.gnu.org/software/coreutils/manual/html_node/Directory-Setuid-and-Setgid.html
If you are using ext3 or ReiserFS, this page about creating a Linux file server may help. Specifically step 7 suggests the following command.
setfacl -d -m g:sales:rw /groups/sales
I think you should look here.
As the site says, "Unix doesn't support the idea of inherited permissions."
However, there is a section on ACLs (Access Control Lists), which I think is what you are looking for. By setting up an ACL, you can have your files inherit the same ACL from the directory, which I think is what you are asking for. setfacl is the shell command that will be what you need to look into.
Hope that helps!