Arch Linux

christof

Member

Registered: 2009-09-08

Posts: 3

Can a group have no read access?

Several of my hard drives are mounted at boot with me (chris) as the owner and storage as the group.

There are a few directories in those hard drives that I don't want other users who ssh in to see, so I thought I'd remove read access for people in the group with this command:

chmod -R 700 private_dir/

alternatively I tried these commands:

chmod -R g-r private_dir/
chmod -R go= private_dir/

but when I list the directory in long format, the output is still:

drwxr----- 1 chris storage      0 2009-04-12 01:26 private_dir #the group still has read access

What's the better way to do this, i.e. how can I mount the hard drive but have subdirectories with different permissions (or group id's) which persist after re-mounting?

Thanks in advance, guys.

Christof

DonVla

Member

From: Bonn, Germany

Registered: 2007-06-07

Posts: 997

Re: Can a group have no read access?

but when I list the directory in long format, the output is still:

drwxr----- 1 chris storage      0 2009-04-12 01:26 private_dir #the group still has read access

What's the better way to do this, i.e. how can I mount the hard drive but have subdirectories with different permissions (or group id's) which persist after re-mounting?
Christof

Do some reading:
http://en.wikipedia.org/wiki/Chmod#Comm … e_examples

chmod -R 700 private_dir

should have done it.
Or try:

chmod u=rw,go= private_dir

And chnaging the permissions only of the parent folder is sufficient.

Last edited by DonVla (2009-09-08 22:25:33)

christof

Member

Registered: 2009-09-08

Posts: 3

Re: Can a group have no read access?

Thanks DonVla. However, I tried that and it did not work.

When I use those commands in a test directory in home, it does work though. Maybe it has something to do with the fact that the storage group currently has only one user (me)?

I'll try it with a test directory in home with a gid of storage.

Last edited by christof (2009-09-09 01:46:10)

DonVla

Member

From: Bonn, Germany

Registered: 2007-06-07

Posts: 997

Re: Can a group have no read access?

Several of my hard drives are mounted at boot with me (chris) as the owner and storage as the group.

I guess you mounted your partition with some "uid=..." or "gid=..." options enabled.
Which are the mount options in fstab?
You need only smth like

/dev/sda2         /home                   ext3        defaults

Then you can simply change the permissions through chmod. Of course as root!

Last edited by DonVla (2009-09-09 08:34:24)

christof

Member

Registered: 2009-09-08

Posts: 3

Re: Can a group have no read access?

Here's my fstab entry:

UUID=###########     /media/backup     ntfs-3g     defaults,uid=1000,gid=95,umask=0037

I think the problem is that ntfs-3g cannot handle permissions for individual files or folders yet. It looks like I'm going to have to switch the drives over to xfs.

vielen Dank

DonVla

Member

From: Bonn, Germany

Registered: 2007-06-07

Posts: 997

Re: Can a group have no read access?

I don't know what the default options are for ntfs-3g. A google search often gives the needed information .
But I would omit the uid=.. and gid=.. options and set the permissions with chmod.

Aprz

Member

From: Newark

Registered: 2008-05-28

Posts: 277

Re: Can a group have no read access?

I thought about it, and I think the problem is you're doing this as root trying to remove access from group root (find out using getfacl) that were originally able to view the file or something along those lines (partially in a rush and not thinking straight so forgive me), but really only want one group not to have access to the directory. I am not 100% sure if this would work on a directory, but I think it would, and I don't have time to try it right now (last minute typing about to rush to work, haha!), but have you tried

setfacl -x g:group directory

Where group is the group you want to remove from having access to the file, but retain all other groups to view the file. Directory is the directory you want to move. Not 100% sure. You can also check if it was affective by using `getfacl' as mentioned earlier (or just test it, but that's annoying) to see what users, groups, etc... can do with the file.

Good luck.

Edit: Yeh, like I thought.

I know this example is with a specific user, but I wasn't gonna go make different groups and test stuff out. Too lazy! Probably would've been better if I started off by creating `/home/test/' using mode 750 like I did with setfacl, but whatever. I think it gets the point across.

As you can see, you got to remember what group whatever user you are on when you are using chmod and dealing with groups, and even with that, you can revoke specific users/groups rights or cater to individual users/groups using {set,get}facl. By the way, when you do this, when you `ls -l' the directory, you'll see a plus next to it showing it's extended acl.

^Hopefully I didn't make a fool of myself, but this is just what I think and it seems to work for me, haha. Maybe like you said, it's your filesystem.

Last edited by Aprz (2009-09-10 06:15:16)