AIX default permission issue: solved with concept from Linux and a little bit of shell script

One day at work, I got an RFC ticket requesting that an already existing directory should be setup in such a way that whenever a new file is created, only owner of the file should have read+write permission, other group members should have read-only permission and all the other users should have no permission at all.

Now, this directory was shared through NFS to the Linux workstations used for research related applications run by the users. They usually dump their logs or outputs and even weird scribbles in this directory.

The NFS server was an AIX 5.3 server. A well experienced UNIX/Linux admin knows that only in Linux, while creating a user account, a new group gets created with the same name as the user account, and it is set as the primary group for the new user. This is not the default behavior of other UN*X systems. Have you ever wondered why Linux does this? You will get the answer while reading the rest of this article.

In AIX, like other UN*X systems, a new user by default gets the primary group set as “staff”, if not specified in “mkuser” command. So these users had “staff” as their primary group and “generes” as their secondary group. The directory in question, had root as the user owner and “generes” as the group owner and had 770 permission set.

This particular AIX server had 002 as the “umask”. What it means is that when a user creates a file, the file will have 775(u=rwx, g=rwx, o=rx) permission. So when a user creates a file, as the file’s group owner is “generes”, other members of this group would be able to edit the new file.

I was not allowed to change system wide umask, as that would certainly create permission issues rather than solving it. Also, I had to find a way to take care of the existing files in the directory.

So I took the idea of Linux’s default primary group for a user. First, I had to create groups for each individual member of the “generes” group. Then, I had to set the indvidual group as the primary group for the respective user i.e group XYZ is the primary group for user XYZ. Also, I had to add the “staff” group as additional group of the users, to avoid any permission issues.

Now, once that’s done, when a user creates a new file, the group ownership of the file becomes the primary group of the author. As the author of the file is the only member of that group, any other user (a member of the generes group) is considered as “other” and gets the read-only permission on the file.

As the shared directory had 770 (u=rwx, g=rwx, o=—) permission, any user who is not a member of “generes” group, cannot even get into the folder, let alone reading the files inside it.

But still, one more major work was remaining. I had to change the group ownership permissions for the files depending on their owner i.e if “abc” file has “user01” as the owner set, I had to set the group ownership of that file as “user01”. Well, it was easy with the find command and just a bit of shell scripting (I just love writing scripts whenever possible to do almost anything!!).

Two little scripts I made to complete the RFC are below:

1. Script to create new groups and setting them as primary group for the respective users

#!/bin/ksh

awk -F “:” ‘{ print $4 }’ /etc/group | sed ‘s/\,/\n/g’ | while read usr; do
    mkgroup “$usr”
    chusr pgrp=”$usr” “$usr”
    chusr groups=staff “$usr”
done

2. Script to change the group ownership of the existing files to the author’s primary group

#!/bin/ksh

tmpf=/tmp/FILES-$$.lst

awk -F “:” ‘{ print $4 }’ /etc/group | sed ‘s/\,/\n/g’ | while read usr; do
    find /directory -user “$usr” -print >”$tmpf”
    cat “$tmpf” | while read i; do
        chgrp “$usr” “$i”
    done
done

rm -f “$tmpf”

Advertisements

About admin_xor

Un*x/Linux junkie, loves to program, automate, automate and automate
This entry was posted in aix, awk, chmod, chown, chuser, linux, mkgroup, mkuser, permission, sed, shell script, unix. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s