SUMMARY: Can two groups merge to form a third in /etc/group

From: Paul Alukal (pva@nova.gmi.edu)
Date: Thu Feb 18 1993 - 01:28:54 CST


My original question:

> Is there any way I can merge two groups in /etc/group
> to form a third one? The reason is like this.
>
> We restrict ftp command to students - only people in the faculty
> group (in /etc/group) can use it all the time (students are restricted
> by using cron, changing the mode of the ftp file) and ftp
> belong to faculty group.
>
> Now, I have to add another large group of people, (K12 group
> in /etc/group), and allow them to use ftp all the time. They
> don't come under faculty group and if I can combine faculty
> group and K12 group to form a third one, put ftp in that group,
> this will solve the problem.
>
> Machine: Sun Sparc 4/490 server
> OS: SunOS 4.1.2
>
>
> Thanks for any suggestions.
>
> Paul Alukal
> Senior Programmer Analyst
> Computer Center
> GMI Engg & Mgmt Institute pva@nova.gmi.edu
> Flint Mi

I got many replies, but most of them said it is not possible.
(There was one reply here which suggests this is possible, however
I didn't try it due to time constraints). Finally we decided to
remove all restrictions on ftp and see whether our network traffic can
manage it without problems.

Paul Alukal

Here are the replies: Thanks to everyone for taking your time
to send a reply.

From: tommy@boole.att.com
From: jpd@cad.msu.edu (Joe P. DeCello)
From: vasey@issi.com
From: katkam@fuwutai.att.com
From: katkam@fuwutai.att.com
From: louis@andataco.com
From: macphed@dvinci.usask.ca (Ian MacPhedran)
From: Mike Raffety <miker@il.us.swissbank.com>
From: blymn@mulga.awadi.com.AU (Brett Lymn)
From: trdlnk!mike@uunet.UU.NET (Michael Sullivan)
From: keener@upenn5.hep.upenn.edu (Paul T. Keener)
---------------------------------------------------------------
To: pva@nova.gmi.edu (Paul Alukal)
Subject: Re: Can two groups merge to form a third in /etc/group
In-Reply-To: Your message of Wed, 10 Feb 93 10:24:04 EST.
Date: Wed, 10 Feb 93 14:05:34 -0500
Original-From: Tommy Reingold <boole.att.com!tommy>
Status: OR

$ Is there any way I can merge two groups in /etc/group
$ to form a third one? The reason is like this.
$

No, but you could write a little program that checks who belongs to
faculty or K12 and puts them in a third group which has group ownership
of the ftp stuff. Run this program periodically from cron.
-----------------------------------------------------------

From: jpd@cad.msu.edu (Joe P. DeCello)
Subject: Re: Can two groups merge to form a third in /etc/group
To: pva@nova.gmi.edu
Date: Wed, 10 Feb 1993 14:50:48 -0500 (EST)
In-Reply-To: <9302101524.AA09221@nova.gmi.edu> from "Paul Alukal" at Feb 10, 93 10:24:04 am
X-Mailer: ELM [version 2.4 PL17]
Content-Type: text
Content-Length: 1997
Status: OR

"Paul Alukal"
>
> Is there any way I can merge two groups in /etc/group
>

If you are using NIS in SunOS4.1.x then yes you can. Here is a sample of my
netgroups file, which we use with no problems. Note that netgroups cannot
be used for giving root access like -root=netgroup1 is not allowed.

cad cl pp cpp fpsm
cl cl_sun cl_pc
cl_sun cl_sun4 cl_sun3 cl_suni
cl_sun4 (tardis,,cad.msu.edu) (scss3,,cad.msu.edu) (discovery,,cad.msu.edu)
cl_sun3 (cad1,,cad.msu.edu) (jupiterII,,cad.msu.edu) (rama,,cad.msu.edu)
cl_suni (wings,,cad.msu.edu) (voyager,,cad.msu.edu)
cl_pc (jpd,,cad.msu.edu)
fpsm fpsm_sun fpsm_pc fpsm_X
fpsm_sun (desk,,cad.msu.edu) (table,,cad.msu.edu)
fpsm_pc (phone,,cad.msu.edu) (chair,,cad.msu.edu) (lectern,,cad.msu.edu)
fpsm_X (bench,,cad.msu.edu) (rolodex,,cad.msu.edu)

So you see, you can have multiple levels of netgroups. These are system
netgroups, but I am sure that they'll work for userids too.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Joseph P. DeCello III E-mail: jpd@cad.msu.edu
Michigan State University phone: (517) 353-3027
Specialized Computing Support Services hours: 10am-5pm ESTDST
------------------------------------------------------------------

Date: Wed, 10 Feb 93 14:55:40 CST
From: vasey@issi.com
Message-Id: <9302102055.AA16146@>
To: pva@nova.gmi.edu
Subject: Re: Can two groups merge to form a third in /etc/group
Status: OR

> We restrict ftp command to students - only people in the faculty
> group (in /etc/group) can use it all the time (students are restricted
> by using cron, changing the mode of the ftp file) and ftp
> belong to faculty group.

Clever enough & pretty effective so far ...

> Now, I have to add another large group of people, (K12 group
> in /etc/group), and allow them to use ftp all the time

... so why not work this at the front end also, using the same setup,
ie, copy your ftp executable to another name like "ftp.K12", and change
it's access and permissions to be run only by the new K12 group.
It should still reference the same ol' /etc/shells and all ...
Good luck!
 
++ Ron vasey@issi.com International Software Systems Peace! ++
        1+512+338-5724 9430 Research, Austin TX 78759 <><
--------------------------------------------------------------------

Subject: Re: Can two groups merge to form a third in /etc/group
To: pva@nova.gmi.edu (Paul Alukal)
Date: Wed, 10 Feb 1993 16:46:03 -0500 (EST)
Reply-To: jpd@cad.msu.edu
X-Mailer: ELM [version 2.4 PL17]
Content-Type: text
Content-Length: 872
Status: OR

"Paul Alukal"
>
> >
> > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> > Joseph P. DeCello III E-mail: jpd@cad.msu.edu
> > Michigan State University phone: (517) 353-3027
> > Specialized Computing Support Services hours: 10am-5pm ESTDST
> >
> Thanks for the reply. We run NIS and use net groups nested as you are
> suggesting. However, I am trying in /etc/groups.
>
> Thanks again.
>
> Paul Alukal pva@nova.gmi.edu
>

Oh, wooops. Misunderstood the intent. Ummm... Haven't tried that.
BTW, I made /etc/groups on the NIS server separate from the file
I make the NIS map groups from. I called mine /etc/ypgroups. This
fixed the problem of them not working correctly in 4.1.1. Of course
you need to change the Makefile accordingly. Just some 2cents to make
my reply worth sending.

-Joe
---------------------------------------------------------------------

From: katkam@fuwutai.att.com
Date: Wed, 10 Feb 93 17:13 EST
Original-From: fuwutai!katkam (Anil Katakam +1 201 386 2524)
To: pva@nova.gmi.edu
Subject: Can two groups merge to form a third in /etc/group
Status: OR

Yes can be done.

group3:*:GID:faculty,k12

is the answer.

 Anil Katakam
 AT&T Bell Labs,
 67 Whippany Rd.,
 Room 2a-101
 Whippany,NJ 07981
Phone 201-386-2524
FAX: 201-386-4072
EMail: Anil.Katakam@att.com
--------------------------------------------------------------------

To: pva@nova.gmi.edu
In-Reply-To: Paul Alukal's message of Wed, 10 Feb 93 10:24:04 EST <9302101524.AA09221@nova.gmi.edu>
Subject: Can two groups merge to form a third in /etc/group
Status: OR

It's probably more pain than you wanted to undergo, but the Q&D would
be to create the new group and let both the K12 and faculty userids be
in it.

On the plus side, you'd then have a way for the odd newcomer, visitor,
or whoever to be granted 24-hr ftp rights.

Moderation in all things, except love.
Louis M. Brune ANDATACO
louis@andataco.com 9550 Waples Street
619-453-9191 x171 San Diego, CA. 92121
-----------------------------------------------------------------------

Date: 10 Feb 1993 17:26:01 -0600 (CST)
From: macphed@dvinci.usask.ca (Ian MacPhedran)
Subject: Re: Can two groups merge to form a third in /etc/group
To: pva@nova.gmi.edu
X-Envelope-To: pva@nova.gmi.edu
Content-Transfer-Encoding: 7BIT
Status: OR

>Thanks for any suggestions.

These aren't answers to your direct question, which I think could
only be resolved by creating a third group with explicit membership
by all the individuals desired. (I.e. you make an /etc/group entry
with all the usernames.)

How about having the ftp binary owned by the restricted group, and
chmod 705 ftp when you restrict it, and chmod 755 ftp to release it?

(This of course is not a simplification, if you have more than one
group of restricted users.)

You could also make two copies of the ftp binary - one for each group.

Ian.
Ian MacPhedran, Engineering Computer Centre, University of Saskatchewan.
2B13 Engineering Building, U. of S. Campus, Saskatoon, Sask., CANADA S7N 0W0
macphed@dvinci.USask.CA (306) 966-4832 Ian_MacPhedran@engr.USask.CA
-----------------------------------------------------------------------

Date: Wed, 10 Feb 93 18:34:03 CST
From: Mike Raffety <miker@il.us.swissbank.com>
X-Organization: Swiss Bank Corporation
Message-Id: <9302110034.AA08194@trinity.sbcoc.com>
To: pva@nova.gmi.edu
Subject: Re: Can two groups merge to form a third in /etc/group
Status: OR

Instead, you need to create a third group, with both groups, and chown
your ftp binary to that new group. There's no way to automatically say
that a group should be the members of the other two groups (it's not
netgroups).

BTW, you realize that students can STILL use FTP ... they just have to
provide their own binary, write their own client, or just use something
like telnet-ing or mconnect-ing to the FTP port number.
-----------------------------------------------------------------------

From: blymn@mulga.awadi.com.AU (Brett Lymn)
Subject: Re: Can two groups merge to form a third in /etc/group
To: pva@nova.gmi.edu
Date: Thu, 11 Feb 1993 12:39:35 +1030 (CST)
Content-Type: text/plain; charset=US-ASCII
Content-Length: 855
Status: OR

According to Paul Alukal:
>
>We restrict ftp command to students - only people in the faculty
>group (in /etc/group) can use it all the time (students are restricted
>by using cron, changing the mode of the ftp file) and ftp
>belong to faculty group.
>

I hope that they do not know how to use the cp command :-)

>Now, I have to add another large group of people, (K12 group
>in /etc/group), and allow them to use ftp all the time. They
>don't come under faculty group and if I can combine faculty
>group and K12 group to form a third one, put ftp in that group,
>this will solve the problem.
>

I am not sure, but I don't think that you can.

-- 
Brett Lymn                              | "Smoke me a kipper, I will be
Computer Systems Administrator          |  back for breakfast"
AWA Defence Industries                  | - Arnold "Ace" Rimmer
---------------------------------------------------------------

Date: Thu, 11 Feb 93 14:45 CST From: trdlnk!mike@uunet.UU.NET (Michael Sullivan) To: uunet!nova.gmi.edu!pva@uunet.UU.NET Subject: Re: Can two groups merge to form a third in /etc/group Status: OR

You can't combine two groups in exactly the way you suggested; groups aren't hierarchial, but you can achieve the same effect by taking advantage of the fact that individual users can belong to multiple groups (up to 16, I think). You should create a new group "ftpusers" to which all the members of the faculty and K12 groups would also belong and which would be the group owner of the ftp command. ---------------------------------------------------------------------

Date: Thu, 11 Feb 93 17:40:02 EST From: keener@upenn5.hep.upenn.edu (Paul T. Keener) Message-Id: <9302112240.AA10766@upenn5.hep.upenn.edu> To: pva@nova.gmi.edu Subject: Re: Can two groups merge to form a third in /etc/group Status: OR

>Is there any way I can merge two groups in /etc/group >to form a third one? The reason is like this.

There is no easy way of doing this that I know of. There is another solution, however.

If you want every user, except those in a particular (unix) group to run a command, you can make the group of the command the same as the group of the set of people you do *not* want to run the command. Then simply do not give execute permission to the group.

This works because the permission checking algorithm uses the most specific set of permissions applicable. Thus it will always use the owner permissions for the owner, regardless of the group and other permissions are, and similarly for the group (except of course for the owner of the file).

-paul



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:07:29 CDT