Right now one of our server is setup such that all users are in their own group. Is it possible to reassign them to a single group and then allow each user READ only access to other user's directories?
Any quick commands to do this for many users?
Asked
Active
Viewed 55 times
2
-
To allow users read access to home directories, while you can do it with ACLs, it's very error-prone. You can do it reliably with a read-only view. See User with read access to /home – Gilles 'SO- stop being evil' Jan 28 '13 at 22:40
2 Answers
1
Short answer: Don't do it.
Long answer: This used to be the default setup of Unix boxes. But this leads to inadvertent data sharing, even possibility of modification of data by fellow users if there is a slipup in the permissions. Over time, most Unix/Linux installations migrated to a setup with a group for each user. Originally, when a user belonged to several groups (a primary group and supplementary groups, in Unix-speak), to gain the privileges of another group one had to give the group to switch to and the program to run to a special program (the name escapes me, it has been a long time...). With today's systems each process belongs to all the groups simultaneously, so this isn't needed anymore. Just place all the users in the group to which the shared files belong. Even more granular permissions are available on filesystems that handles ACLs, where you can assign individual users permissions on a file, independent of user/group/others. Look at the manual pages for acl(5), chacl(1).
vonbrand
- 18,253
0
I really want to say "don't", as it's not the best idea. However, that doesn't answer your question, so let's do that instead. Here are a few assumptions in the script I'm constructing below:
- You created a group called users
- All users you want to add to this group have a uid between 500 and 10000
- Only users you want to add to this group have a uid between 500 and 10000
- You will understand what the shellscript does before running it, or else ask for clarification.
First we fix ownership of folders in /home:
chgrp users -r /home
So first let's get all the users with uid 500 or higher:
getent passwd | awk -F: '{if($3 > 500 && $3 < 10000) { print $1 }}'
On my system this returns:
dennis
paul
tom
Now we need to change the group:
for user in $(getent passwd | awk -F: '{if($3 > 500 && $3 < 10000) { print $1 }}'); do
usermod -g users $user
done
Now you can remove the no longer needed groups:
for user in $(getent passwd | awk -F: '{if($3 > 500 && $3 < 10000) { print $1 }}'); do
groupdel $user
done
Dennis Kaarsemaker
- 8,530