[Fwd: Re: Limitation for User]

edwardspl at ita.org.mo edwardspl at ita.org.mo
Wed Feb 21 04:25:05 UTC 2007 

Hello,

For the access right ( include read / modify / delete ) problem of bind
service,
Is it need the owner / group of named to run the program for it really ?
So, we can't to re-set the permission again ?

Edward.

-------- Original Message --------
Subject: 	Re: Limitation for User
Date: 	Mon, 19 Feb 2007 11:53:45 -0600
From: 	Les Mikesell <lesmikesell at gmail.com>
Reply-To: 	For users of Fedora <fedora-list at redhat.com>
To: 	For users of Fedora <fedora-list at redhat.com>
References: 	<45D9D1F0.4010500 at ita.org.mo> <45D9D814.7080305 at gmail.com>
<45D9DC15.9050908 at ita.org.mo>


edwardspl at ita.org.mo wrote:

> Les Mikesell wrote:
> 
>> edwardspl at ita.org.mo wrote:
>>
>>> Dear All,
>>>
>>> I want to how to config the limitation ( permission ) from the
>>> following ?
>>>
>>> [svradmin at svr1 etc]$ pwd
>>> /usr/local/proftpd/etc
>>> [svradmin at svr1 etc]$ ls -l
>>> total 4
>>> -rw-r--r-- 1 root root 1894 Feb 20 00:22 proftpd.conf
>>> [svradmin at svr1 etc]$
>>>
>>> Only allow user root, svradmin and edward they can access to
>>> /usr/.local/proftpd/etc/ ( directory ) and read / modify the config
>>> file ( such as proftpd.conf ).
>>
>> Root automatically has full access and doesn't need special
>> consideration. One of the other users (svradmin) can be the owner and
>> have rwx permission. To allow access by additional users you can add
>> group rwx permission and put the users in the of the files. Having a
>> single other user is a slightly special case where you could give
>> edward's group to the file instead of the other way around. In any
>> case you need to be careful when creating new files to set the correct
>> group.
>>
> Hello,
> 
> Do you means (operation steps ) :
> chown -R svradmin.edward /usr/local/proftpd/etc
> chmod 660 /usr/local/proftpd/etc/proftpd.conf
> 
> So, Only svradmin, edward and root user they can access to the directory
> and read / modify the file, right ?

Yes - you probably also want
chmod 770 /usr/local/proftpd/etc
if it doesn't have those modes already.  Also, you need to check that
this does not prevent the proftpd program from reading its own config
file.  I don't know if it runs as root at that point or not.  If it runs
with non-root permissions as it starts, you'll have to be sure it has
permission.  If there is no sensitive information there you could just
allow 'other' read access.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20070221/3e248d4b/attachment-0002.html

More information about the users mailing list