0

Given that users can be added to multiple groups, I'm in a situation where I need to restrict access to an intersection of groups rather than a union or subset of groups for a file.

More concretely, given permission group A and group B, I'd like to restrict access to users who are members of A and B, and not members of A-only or B-only. Current ACL usage allows you to restrict access to users who belong to A or B by adding to the ACL of a file.

The closest I've considered is some kind of nested directory scheme /dir_A/subdir_B/file. Here dir_A directory has execute-only permissions for A and subdir_B has execute-only permissions for B, and file has read-only permissions ACLs for A and B. As I understand this only prevents listing files and does not stop a user with only group A membership of reading the file given the full file path.

vtrubets
  • 103

1 Answers1

0

ACLs only complicate the situation, so for this question ignore them.

Given this:

drwx--x---  userC  groupA  directory_A
drwxr-x---  userC  groupB  directory_A/directory_B

The contents of directory_B can be accessed by only userC and users that are in both group_A and group_B.

Anyone in only one of the groups (other than ownerC) will be blocked by one directory or the other.

This sounds like what you proposed, so I don't see why you say it "does not stop a user with only group A membership of reading the file given the full file path".

Ray Butterworth
  • 257