der folgende Kriterien erfüllt:
Dazu habe ich eine Frage bei Superuser gestellt, die aber nicht beantwortet wurde.
Quellenangabe für relevante Posts:
pwd
/home/map/DEL/ab2
# Variables
ROOTFLD=/home/map/DEL
FLD=ab2
GRP=map # group the teacher belongs to
# create folder, add start over
cd $ROOTFLD
rm -R $FLD
mkdir $FLD
# so that the group-owner will always be the teacher
chmod g+s $FLD
# we don't allow overwriting, deleting of files by others (like in /tmp), so set sticky bit
chmod +t $FLD
chown :$GRP $FLD
ls -ld $FLD
drwxr-sr-t 2 root map 4096 Feb 3 11:44 ab2
# ACL
setfacl -m u::rwx,g::rwx,o::rwx,d:u::rwx,d:o::--- $FLD
#setfacl -m u::rwx,g::rwx,o::rwx $FLD
getfacl $FLD
# file: ab2 # owner: root # group: map # flags: -st user::rwx group::rwx other::rwx default:user::rwx default:group::rwx default:other::---
tree -pu $FLD
ab2
0 directories, 0 files
====> Start watcher Skript now
Script watches a directory if a folder is created it changes its permissions for others to rwx instead of -wx which is the inherited default
WATCHERSCRIPT=/home/conf_imp/bin/abgabe_ordner2.sh
cat <<'EOF' >$WATCHERSCRIPT
#!/bin/bash +x
dir=$1
if [[ -z $dir ]];
then
echo "Enter path as argument"
exit
fi
echo "WATCHING: $dir"
# run forever
while true; do
inotifywait -r -q --format %w%f -e create "$dir" | while read f; do
echo "- CREATED: $f"
if [[ -d "${f}" ]] ; then
echo "FOLDER: ${f}, adding read,write,execute permission"
chmod o+rwx "${f}"
stat "${f}"
else
echo "FILE: $f, doing noting"
fi
done
done
EOF
chmod u+x $WATCHERSCRIPT
cat $WATCHERSCRIPT
#!/bin/bash +x
dir=$1
if [[ -z $dir ]];
then
echo "Enter path as argument"
exit
fi
echo "WATCHING: $dir"
# run forever
while true; do
inotifywait -r -q --format %w%f -e create "$dir" | while read f; do
echo "- CREATED: $f"
if [[ -d "${f}" ]] ; then
echo "FOLDER: ${f}, adding read,write,execute permission"
chmod o+rwx "${f}"
stat "${f}"
else
echo "FILE: $f, doing noting"
fi
done
done
cd $FLD
TESTCRIPT=test.sh
echo $TESTCRIPT
cat <<'EOFS' >$TESTCRIPT
#!/bin/bash +x
##### utility functions
function cfaou {
# creates file as specified user and writes his username into it
echo User $1 creates file $(pwd)/$2
sudo -u $1 bash <<EOF
(
whoami
) >> $2
EOF
}
function cdaou {
# creates folder as specified user
echo User $1 creates folder $(pwd)/$2
sudo -u $1 bash <<EOF
(
mkdir -p $2
)
EOF
}
function raou {
# creates folder as specified user
echo "--User $1 tries to read file $(pwd)/$2:"
sudo -u $1 bash <<EOF
(
cat $2
)
EOF
}
##### Tests, that should work
(
cdaou pi1 pi1_topfolder # create folders
cdaou pi1 pi1_topfolder/pi1_subfolder # create folders
sleep 1
cfaou pi1 pi1_topfile # create file in top folder
cfaou pi1 pi1_topfolder/pi1_subfile # create file in subfolder
cfaou pi1 pi1_topfolder/pi1_subfolder/pi1_subfile # create file in subfolder
# user pi2
cdaou pi2 pi2_topfolder # create folders
cdaou pi2 pi2_topfolder/pi2_subfolder # create folders
sleep 1
cfaou pi2 pi2_topfile # create file in top folder
cfaou pi2 pi2_topfolder/pi2_subfile # create file in subfolder
cfaou pi2 pi2_topfolder/pi2_subfolder/pi2_subfile # create file in subfolder
# as everybody can write to every directory, but not read files therein
cfaou pi2 pi1_topfolder/pi2_subfile # create file in subfolder
cfaou pi1 pi2_topfolder/pi1_subfile # create file in subfolder
cfaou pi2 pi1_topfolder/pi1_subfolder/pi2_subfile # create file in subfolder
cfaou pi1 pi2_topfolder/pi2_subfolder/pi1_subfile # create file in subfolder
) &> ok_create.log
(
# teacher (group map) can read all
echo "--- Reading ones own files"
raou pi1 pi1_topfile
raou pi1 pi1_topfolder/pi1_subfile
raou pi2 pi2_topfile
raou pi2 pi2_topfolder/pi2_subfile
echo "--- Teacher reading students files"
GRP=map
raou $GRP pi1_topfile
raou $GRP pi2_topfile
raou $GRP pi1_topfolder/pi1_subfile
raou $GRP pi2_topfolder/pi2_subfile
raou $GRP pi1_topfolder/pi2_subfile
raou $GRP pi2_topfolder/pi2_subfile
) &> ok_read.log
(
#### Tests, that should fail
# overwrite/append to other user's file
cfaou pi1 pi2_topfile
cfaou pi2 pi1_topfile
cfaou pi1 pi2_topfolder/pi2_subfile
cfaou pi2 pi1_topfolder/pi1_subfile
cfaou pi1 pi1_topfolder/pi1_subfolder/pi2_subfile
cfaou pi2 pi2_topfolder/pi2_subfolder/pi1_subfile
) &>err_write.log
(
echo "--- Reading ones own files"
raou pi1 pi2_topfile
raou pi2 pi1_topfile
raou pi1 pi2_topfolder/pi2_subfile
raou pi2 pi1_topfolder/pi1_subfile
raou pi1 pi1_topfolder/pi1_subfolder/pi2_subfile
raou pi2 pi2_topfolder/pi2_subfolder/pi1_subfile
) &> err_read.log
EOFS
chmod u+x $TESTCRIPT
cat $TESTCRIPT
#!/bin/bash +x
##### utility functions
function cfaou {
# creates file as specified user and writes his username into it
echo User $1 creates file $(pwd)/$2
sudo -u $1 bash <<EOF
(
whoami
) >> $2
EOF
}
function cdaou {
# creates folder as specified user
echo User $1 creates folder $(pwd)/$2
sudo -u $1 bash <<EOF
(
mkdir -p $2
)
EOF
}
function raou {
# creates folder as specified user
echo "--User $1 tries to read file $(pwd)/$2:"
sudo -u $1 bash <<EOF
(
cat $2
)
EOF
}
##### Tests
cdaou pi1 pi1_topfolder/pi1_subfolder # create folders
sleep 1
cfaou pi1 pi1_topfile # create file in top folder
cfaou pi1 pi1_topfolder/pi1_subfile # create file in subfolder
# user pi2
cdaou pi2 pi2_topfolder/pi2_subfolder # create folders
sleep 1
cfaou pi2 pi2_topfile # create file in top folder
cfaou pi2 pi2_topfolder/pi2_subfile # create file in subfolder
# as everybody can write to every directory, but not read files therein
cfaou pi2 pi1_topfolder/pi2_subfile # create file in subfolder
cfaou pi1 pi2_topfolder/pi2_subfile # create file in subfolder
bash $TESTCRIPT
cat ok_create.log
User pi1 creates folder /home/map/DEL/ab2/pi1_topfolder User pi1 creates folder /home/map/DEL/ab2/pi1_topfolder/pi1_subfolder User pi1 creates file /home/map/DEL/ab2/pi1_topfile User pi1 creates file /home/map/DEL/ab2/pi1_topfolder/pi1_subfile User pi1 creates file /home/map/DEL/ab2/pi1_topfolder/pi1_subfolder/pi1_subfile User pi2 creates folder /home/map/DEL/ab2/pi2_topfolder User pi2 creates folder /home/map/DEL/ab2/pi2_topfolder/pi2_subfolder User pi2 creates file /home/map/DEL/ab2/pi2_topfile User pi2 creates file /home/map/DEL/ab2/pi2_topfolder/pi2_subfile User pi2 creates file /home/map/DEL/ab2/pi2_topfolder/pi2_subfolder/pi2_subfile User pi2 creates file /home/map/DEL/ab2/pi1_topfolder/pi2_subfile User pi1 creates file /home/map/DEL/ab2/pi2_topfolder/pi1_subfile User pi2 creates file /home/map/DEL/ab2/pi1_topfolder/pi1_subfolder/pi2_subfile User pi1 creates file /home/map/DEL/ab2/pi2_topfolder/pi2_subfolder/pi1_subfile
cat ok_read.log
--- Reading ones own files --User pi1 tries to read file /home/map/DEL/ab2/pi1_topfile: pi1 --User pi1 tries to read file /home/map/DEL/ab2/pi1_topfolder/pi1_subfile: pi1 --User pi2 tries to read file /home/map/DEL/ab2/pi2_topfile: pi2 --User pi2 tries to read file /home/map/DEL/ab2/pi2_topfolder/pi2_subfile: pi2 --- Teacher reading students files --User map tries to read file /home/map/DEL/ab2/pi1_topfile: pi1 --User map tries to read file /home/map/DEL/ab2/pi2_topfile: pi2 --User map tries to read file /home/map/DEL/ab2/pi1_topfolder/pi1_subfile: pi1 --User map tries to read file /home/map/DEL/ab2/pi2_topfolder/pi2_subfile: pi2 --User map tries to read file /home/map/DEL/ab2/pi1_topfolder/pi2_subfile: pi2 --User map tries to read file /home/map/DEL/ab2/pi2_topfolder/pi2_subfile: pi2
cat err_write.log
User pi1 creates file /home/map/DEL/ab2/pi2_topfile bash: Zeile 3: pi2_topfile: Keine Berechtigung User pi2 creates file /home/map/DEL/ab2/pi1_topfile bash: Zeile 3: pi1_topfile: Keine Berechtigung User pi1 creates file /home/map/DEL/ab2/pi2_topfolder/pi2_subfile bash: Zeile 3: pi2_topfolder/pi2_subfile: Keine Berechtigung User pi2 creates file /home/map/DEL/ab2/pi1_topfolder/pi1_subfile bash: Zeile 3: pi1_topfolder/pi1_subfile: Keine Berechtigung User pi1 creates file /home/map/DEL/ab2/pi1_topfolder/pi1_subfolder/pi2_subfile bash: Zeile 3: pi1_topfolder/pi1_subfolder/pi2_subfile: Keine Berechtigung User pi2 creates file /home/map/DEL/ab2/pi2_topfolder/pi2_subfolder/pi1_subfile bash: Zeile 3: pi2_topfolder/pi2_subfolder/pi1_subfile: Keine Berechtigung
cat err_read.log
--- Reading ones own files --User pi1 tries to read file /home/map/DEL/ab2/pi2_topfile: cat: pi2_topfile: Keine Berechtigung --User pi2 tries to read file /home/map/DEL/ab2/pi1_topfile: cat: pi1_topfile: Keine Berechtigung --User pi1 tries to read file /home/map/DEL/ab2/pi2_topfolder/pi2_subfile: cat: pi2_topfolder/pi2_subfile: Keine Berechtigung --User pi2 tries to read file /home/map/DEL/ab2/pi1_topfolder/pi1_subfile: cat: pi1_topfolder/pi1_subfile: Keine Berechtigung --User pi1 tries to read file /home/map/DEL/ab2/pi1_topfolder/pi1_subfolder/pi2_subfile: cat: pi1_topfolder/pi1_subfolder/pi2_subfile: Keine Berechtigung --User pi2 tries to read file /home/map/DEL/ab2/pi2_topfolder/pi2_subfolder/pi1_subfile: cat: pi2_topfolder/pi2_subfolder/pi1_subfile: Keine Berechtigung
tree -pug $ROOTFLD/$FLD
/home/map/DEL/ab2 ├── [-rw-rw---- root map ] err_read.log ├── [-rw-rw---- root map ] err_write.log ├── [-rw-rw---- root map ] ok_create.log ├── [-rw-rw---- root map ] ok_read.log ├── [-rw-rw---- pi1 map ] pi1_topfile ├── [drwxr-srwx pi1 map ] pi1_topfolder │ ├── [-rw-rw---- pi1 map ] pi1_subfile │ ├── [drwxr-srwx pi1 map ] pi1_subfolder │ │ ├── [-rw-rw---- pi1 map ] pi1_subfile │ │ └── [-rw-rw---- pi2 map ] pi2_subfile │ └── [-rw-rw---- pi2 map ] pi2_subfile ├── [-rw-rw---- pi2 map ] pi2_topfile ├── [drwxr-srwx pi2 map ] pi2_topfolder │ ├── [-rw-rw---- pi1 map ] pi1_subfile │ ├── [-rw-rw---- pi2 map ] pi2_subfile │ └── [drwxr-srwx pi2 map ] pi2_subfolder │ ├── [-rw-rw---- pi1 map ] pi1_subfile │ └── [-rw-rw---- pi2 map ] pi2_subfile └── [-rwxrw---- root map ] test.sh 4 directories, 15 files
just if some of the utility functions should be run from ipython
##### utility functions
function cfaou {
# creates file as specified user and writes his username into it
echo User $1 creates file $(pwd)/$2
sudo -u $1 bash <<EOF
(
whoami
) >> $2
EOF
}
function cdaou {
# creates folder as specified user
echo User $1 creates folder $(pwd)/$2
sudo -u $1 bash <<EOF
(
mkdir -p $2
)
EOF
}
function raou {
# creates folder as specified user
echo "--User $1 tries to read file $(pwd)/$2:"
sudo -u $1 bash <<EOF
(
cat $2
)
EOF
}