AFS and ftp?

hi.
first of all, thanks to you that have answered my previous questions.

now.
to simplify the case,
lets assume i have 3 users A, B and C.
all are allowed to login wia ftp but not terminal (/sbin/nologin).

on the ftp i have one (1) directory that contains a number of files, but
lets call them file1, file2 and file3.

now i would like A to be able to see and download file1, and file2.
A should not be able to browse the directory for other files then file1
and file2, even though the other files are there. and A should not be
able to download file3 by guessing the name. then in the same manner for
B and C.

what i am aiming for is:
user file1 file2 file3
A b+r b+r none
B b+r none b+r
C none b+r b+r

b=browse (list)
r=read (download)
none=no list or other access on this file

so, what i basically look for is some kind of setup similar to what one
can do in a windows network, however i have not been able to reproduce
something like this on linux. but i have not tried AFS, that seems to be
more suited for what i am looking for, from what i have heard.
is AFS for free (or any equivalent) and where can i find it?
will it work with the ftp-server?

many thanks
stig

stig wrote:

> hi.
> first of all, thanks to you that have answered my previous questions.
>
> now.
> to simplify the case,
> lets assume i have 3 users A, B and C.
> all are allowed to login wia ftp but not terminal (/sbin/nologin).
>
> on the ftp i have one (1) directory that contains a number of files, but
> lets call them file1, file2 and file3.
>
> now i would like A to be able to see and download file1, and file2.
> A should not be able to browse the directory for other files then file1
> and file2, even though the other files are there. and A should not be
> able to download file3 by guessing the name. then in the same manner for
> B and C.
>
> what i am aiming for is:
> user file1 file2 file3
> A b+r b+r none
> B b+r none b+r
> C none b+r b+r

Use groups. Set the files' ownerships based on groups. Let's say:

File Group
A A
B B
C C

Then you set additional groups for each user based on which file access you
want them to have.

I suggest this because a particular user can belong to a long list of
groups, so this is a way to get the kind of flexible permissions you want.
Plus, if you want to change a user's access later, you can simply remove
the specific group permission from the account.

File permissions are not particularly flexible in Linux/Unix. They can
belong to one user and one group. But users can belong to many groups.
Connect the users to the files using user group membership.

--
Paul Lutus
http://www.arachnoid.com

Paul Lutus wrote:
> stig wrote:
>
>
>>hi.
>>first of all, thanks to you that have answered my previous questions.
>>
>>now.
>>to simplify the case,
>>lets assume i have 3 users A, B and C.
>>all are allowed to login wia ftp but not terminal (/sbin/nologin).
>>
>>on the ftp i have one (1) directory that contains a number of files, but
>>lets call them file1, file2 and file3.
>>
>>now i would like A to be able to see and download file1, and file2.
>>A should not be able to browse the directory for other files then file1
>>and file2, even though the other files are there. and A should not be
>>able to download file3 by guessing the name. then in the same manner for
>>B and C.
>>
>>what i am aiming for is:
>>user file1 file2 file3
>>A b+r b+r none
>>B b+r none b+r
>>C none b+r b+r
>
>
> Use groups. Set the files' ownerships based on groups. Let's say:
>
> File Group
> A A
> B B
> C C
>
> Then you set additional groups for each user based on which file access you
> want them to have.
>
> I suggest this because a particular user can belong to a long list of
> groups, so this is a way to get the kind of flexible permissions you want.
> Plus, if you want to change a user's access later, you can simply remove
> the specific group permission from the account.
>
> File permissions are not particularly flexible in Linux/Unix. They can
> belong to one user and one group. But users can belong to many groups.

i will try it, will this solve the list (browse) problem as well or only
the read (download) problem?

stupid question, but anyway:
is there a upper limit on how many users and groups a linux system can
handle? my guess is that i will have around 10000-20000 files at most.

stig

stig wrote:

< snip >

> stupid question, but anyway:
> is there a upper limit on how many users and groups a linux system can
> handle? my guess is that i will have around 10000-20000 files at most.

You don't need that many permission categories. It is not about the number
of users or the number of files, it is only about the number of permission
combinations required. Ordinary file segregation can be had using vanilla
user permissions.

--
Paul Lutus
http://www.arachnoid.com

stig wrote:
> Paul Lutus wrote:
>
>> stig wrote:
>>
>>
>>> hi.
>>> first of all, thanks to you that have answered my previous questions.
>>>
>>> now.
>>> to simplify the case,
>>> lets assume i have 3 users A, B and C.
>>> all are allowed to login wia ftp but not terminal (/sbin/nologin).
>>>
>>> on the ftp i have one (1) directory that contains a number of files, but
>>> lets call them file1, file2 and file3.
>>>
>>> now i would like A to be able to see and download file1, and file2.
>>> A should not be able to browse the directory for other files then file1
>>> and file2, even though the other files are there. and A should not be
>>> able to download file3 by guessing the name. then in the same manner for
>>> B and C.
>>>
>>> what i am aiming for is:
>>> user file1 file2 file3
>>> A b+r b+r none
>>> B b+r none b+r
>>> C none b+r b+r
>>
>>
>>
>> Use groups. Set the files' ownerships based on groups. Let's say:
>>
>> File Group
>> A A
>> B B
>> C C
>>
>> Then you set additional groups for each user based on which file
>> access you
>> want them to have.
>>
>> I suggest this because a particular user can belong to a long list of
>> groups, so this is a way to get the kind of flexible permissions you
>> want.
>> Plus, if you want to change a user's access later, you can simply remove
>> the specific group permission from the account.
>>
>> File permissions are not particularly flexible in Linux/Unix. They can
>> belong to one user and one group. But users can belong to many groups.
>
>
> i will try it, will this solve the list (browse) problem as well or only
> the read (download) problem?
>
> stupid question, but anyway:
> is there a upper limit on how many users and groups a linux system can
> handle? my guess is that i will have around 10000-20000 files at most.
>
> stig
>

just made a small testcase, the read limitation works fine.
however, all users that have access to a specific directory can list all
files in that directory. how can i make the listing only display files
that are in the groups that the user belongs to, that is, how can i make
the system only list the files that the user may read?

stig

stig wrote:

< snip >

> just made a small testcase, the read limitation works fine.
> however, all users that have access to a specific directory can list all
> files in that directory. how can i make the listing only display files
> that are in the groups that the user belongs to, that is, how can i make
> the system only list the files that the user may read?

Apply the group permissions to the directory as well as the files it
contains.

--
Paul Lutus
http://www.arachnoid.com

Paul Lutus wrote:
> stig wrote:
>
> < snip >
>
>>just made a small testcase, the read limitation works fine.
>>however, all users that have access to a specific directory can list all
>>files in that directory. how can i make the listing only display files
>>that are in the groups that the user belongs to, that is, how can i make
>>the system only list the files that the user may read?
>
>
> Apply the group permissions to the directory as well as the files it
> contains.

hmm.
cant get it right.

i have set up the following:
directory /home/share/ is the root.
there i have:
/home/share/2002/
/home/share/2003/

in directory 2002 i have the following files
file4 (ownner me, group g4) rw-r-----
file5 (ownner me, group g5) rw-r-----

in directory 2003 i have the following files
file1 (ownner me, group g1) rw-r-----
file2 (ownner me, group g2) rw-r-----
file3 (ownner me, group g3) rw-r-----


the directories are set:
share (owner me, group d0) rwxr-x---
2002 (owner me, group d2) rwxr-x---
2003 (owner me, group d3) rwxr-x---

then i have the users that should be able to access this:
user01, with groups: d0 d2 g4
user02, with groups: d0 d3 g1 g2
user03, with groups: d0 d2 d3 g3 g5


in this setup user01 can only download file4, and user02 can download
file1 and file2. however they can se all the other files in the listing
in their respektive direcotory, and so on.

then i tried to set the direcotries as follows:
share (owner me, group d0) rwx--x---
2002 (owner me, group d2) rwx--x---
2003 (owner me, group d3) rwx--x---

then the users will be able to enter the directory, but no files at all
will be listed, however, if the user knows the name of the file, he can
download (read) it.


the users have no private primary group, but belong to the user-group.


i would like user01
to see (and read) the following structure:
/2002/
/2002/file4

user01 should not be able to see directory 2003 at all and not file5


and user02:
/2003/
/2003/file1
/2003/file2

user02 should not be able to see directory 2002 at all and not file3


user03:
/2002/
/2003/
/2002/file5
/2003/file3




the option to not see any files but be able to read is acceptable to me,
but the optimal case would be to se files that one can read (download),
but not the files that one cannot read (download). just as described above.


stig