……………………………………………………………………………… #chown bind:wheel file2 # ……………………………………………………………………………… Note Only
……………………………………………………………………………… #chown bind:wheel file2 # ……………………………………………………………………………… Note Only root can give away files. If you’re logged in as a regular user and want someone else to own your files, you cannot do chown otheruser filename. Similarly, if you’re not in a group, you cannot give that group ownership of the file. Assigning Permissions So, now you know how to set permissions and change file owners and groups. What should you set or change? Well, for one thing, many sysadmins set files needed by vital system resources, such as DNS server zone files (see Chapter 11), to be owned by root and writable only by root. Thus, regular users cannot access them. While this approach works acceptably when you only have one administrator, it fails when delegating tasks. Some administrators work around this with add-ons like sudo(8) (in /usr/ports/security/sudo), but these programs are easily misconfigured. In the past, I’ve had assistants who, while not yet competent sysadmins, needed to edit vital files, but under no circumstances could they be given the root password. My solution has been to use groups, which lets me restrict access to these files without giving out root. (I’ll use DNS in this example, but this approach applies to any system where a restricted list of users needs to edit a set of files.) First, consider what sort of access you want people to have to the files. In this DNS example, the file owner must be able to read and write the files, and people in the group need to be able to read and write the files as well. Other users must be able to view them but not edit them. Since DNS files are plain text files, not programs, nobody should be able to execute the files. (It does no harm to set executable permissions on a file that isn’t a program, but it can confuse people.) So our permissions string will look like rw-rw-r–. The owner’s permissions include read (4) and write (2), the group has read (4) and write (2), and others have read-only permissions (4). So, we can set the permissions on the files with chmod 664 filename. Then you need to assign an owner to the file, bearing in mind that many system programs run as a particular user. For example, the named DNS server runs as bind, while the Apache Web server runs as nobody. While you might think that the server user is a logical owner, that’s not necessarily the case, because if someone broke into your DNS server, he could execute commands as the user bind. You may not mind if someone reads these files, but you don’t want anyone unauthorized to change them. The simplest solution is to create a separate user to own them. Creating a New User You can create a new user with adduser(8). (In Chapter 9, we will discuss adduser(8) and some /etc/login.conf tricks that ensure nobody can actually log in as this user.) Use vipw(8) to disable the password entirely (we will also discuss vipw(8) in Chapter 9), and then change the group on the affected file to “dns”. Next, set the permissions for the owner and the group to read and write, but for others to read-only, as shown here: 147
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Inexpensive Web Hosting services