Thanks to all who responded. Some actually answered my question and gave instructions on how to do it with big crazy RBAC, while others admonished me to not use such a big hammer when setfacl (POSIX file access control list settings) should to the trick neatly. This is Solaris 8 SPARC 7/01, by the way.. I chose the facls method. It was a daunting mess due to missing documentation on Docs.Sun.COM. Fortunately Softpanorama came through as usual with the missing info: http://www.softpanorama.org/Solaris/ACL/index.shtml To give a bit more detail on what my scenario, we have a multi-customer host that dishes out confidential, unique info to clients. Obviously it;s necessary that they not see each others' files, but the user oracle had to be able to dish out said files. So 'trivial' or traditional unix perms were not appropriate to the task. Solution: 1) Create individual home dirs for users that have 700 traditional unix permissions. This way nobody can peer at others' files. 2) set initial default inheritance capability in facls (the part they failed to mention on docs.sun.com). This enables you to specify the acl behaviour of files dropped in the directory: setfacl -r -m default:user::rwx,default:group::---,default:other:---,default:mask:rwx ~bob/ 3) give oracle and the customer the ability to manipulate the files, despite not being listed in trivial acl: setfacl -r -m default:user:oracle:rwx ~bob/ setfacl -r -m default:user:bob:rwx ~bob/ 4) repeat similar for other clients 5) check it and confirm with real world testing: root@Lumpy~bob[8]14:22#getfacl ~bob/ # file: bob # owner: bob # group: clients user::rwx user:oracle:rwx #effective:rwx group::--- #effective:--- mask:rwx other:--- default:user::rwx default:user:oracle:rwx default:user:bob:rwx default:group::--- default:mask:rwx default:other:--- Seems good now. thx jake I wrote: > Is it appropriate to use RBAC to allow one user to write files > in the directory of another user? We need 600 perms for user bob's > home but want user oracle to dump output there. If RBAC is the right > way to do this, would someone give recipe/example please? I can't > digest the entire RBAC documentation before deadline. _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Fri Aug 29 15:06:19 2008
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:11 EST