Today, most of us own our own Linux computers, or at least, our employers do, but they're signed out to us and dedicated for our use.
If you have 'root' access on the computer, and consider it basically 'yours' - quite possibly you'll want to be able to look around at ALL of the files on the system, without first having to escalate to 'root'.
It's safer this way, by the way. You should be able to look at ALL the files without having to escalate to root privilege. How to do that?
If your filesystem(s) support ACLs, any regular user can be given this level of access. For linux, the command 'setfacl' can be used to do this:
setfacl -R -m u:whoever:r /
The above recursively modifies access for the user whoever, to include "r". It applies to ALL files and ALL directories.
setfacl -d -R -m u:whoever:r /
The above recursively modifies the DEFAULT acls for all directories such that they'll give the user whoever read access on any NEW files created in the future. (that's a REALLY REALLY REALLY cool feature!)
Now... the issue gets more complex. "execute access" means different things for directories than it does for files. Execute permission on a directory allows the user to list what files are in the directory. Most people would lump that in with "reading" it.
find / -type d -exec setfacl -m u:whoever:rx {} \;
The above gives both read and execute permission for the user whoever to all directories.
Note, together these aren't perfect regarding NEW content. The DEFAULT acls concept doesn't differentiate between new files in a directory and new subdirectories in that directory. So, with the above, any NEW directories created after the "find" is run will have "r" permissions, not "rx" permissions, for the user whoever.
You might setup a nightly cron job to repeat the "find" command above - that'll take care of new directories and ensure you have "x" on them the next day.
If you have questions or concerns about ACLs just let me know and I'll be happy to help as best I can.
No comments:
Post a Comment