thorny (for me) permissions problem

Jeremy Chadwick koitsu at FreeBSD.org
Tue Oct 7 13:25:09 UTC 2008 

On Tue, Oct 07, 2008 at 08:54:36AM -0400, John Almberg wrote:
> The following permissions problem has me stumped:
>
> 1. User A uploads a file (using ftp) to the server, into a directory  
> called 'data' owned by user B. Permissions on directory set to allow  
> this, like this:
> 	drwxrwxr-x  2 user_b user_b   512 Oct  7 08:40 data

This aimplies that User A's account is in group "user_b".

> 2. A cron job, run by user B, then processes the file
>
> 3. When the processing is complete, the cron job needs to delete the  
> file from the server
>
> 4. however, after upload, the file has the ownership A:B (i.e, owned by 
> A, group B) with permissions -rw-r--r--. So B does not have permission to 
> delete the file.

This doesn't make sense.  Any user in "group B" (the group that's
assigned to the "data" directory) should be able to remove files
in that directory.

That means:

  1) Any user in the group called "user_b",
  2) The user "user_b" himself.

See below.

> The ftp user can manually change the permissions on the file to -rw- 
> rw-r--, but I do not want to depend on the user remembering to change  
> permissions. If he forgets, the cronjob will process the file over and 
> over again. I need the server to handle this, so it gets done correctly 
> 100% of the time.
>
> B does not have sufficient permissions to delete the file or change it's 
> permissions. The only thing I can think of is to have ANOTHER cron job, 
> run by A, run every few minutes to check for the existence of a file, and 
> change the permissions so B can delete it. But this smells like a kludge 
> to me.
>
> Is there a correct way to handle this? For instance, is there something I 
> can set in A's profile, so when he uploads a file, the group permission 
> is set to rw? That would be a nice clean way to do it, but I can't find 
> anything like that.

What you're describing is understandable, but something is wrong with
the setup or description of the problem.  Here's proof of what I'm
talking about:

# egrep 'somegroup' /etc/group
somegroup:*:9999:bob,jim

# id bob
uid=2000(bob) gid=1000(users) groups=1000(users),9999(somegroup)
# id jim
uid=2001(jim) gid=1000(users) groups=1000(users),9999(somegroup)

Both of these users are in group "somegroup".  So let's make some
directories and files:

drwxrwxr-x   2 jim       somegroup     2 Oct  7 06:22 data/
-rw-r-----   1 bob       somegroup     0 Oct  7 06:22 data/somefile

In this scenario, user "jim" will be able to remove "somefile", as
can be seen here:

# su jim
% id -a
uid=2001(jim) gid=1000(users) groups=1000(users),9999(somegroup)

% ls -l
total 1
-rw-r-----  1 bob  somegroup  0 Oct  7 06:22 somefile
% rm somefile
override rw-r-----  bob/somegroup for somefile? y
% ls -l
total 0

So, possibly the FTP server you're using does not inherit users groups,
only GIDs?

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

More information about the freebsd-questions mailing list