Skip navigation

Groups & The Filesystem

Let’s talk about a way to move the groups db into the filesystem. Why do it? Simplicity of administration, visualization and inspection. By leveraging filesystem operations for linking and nesting, we’ll create a flexible system without introducing any special tools. To put some users in www, for example, we just link them in to the appropriate group:

  /groups/
    www/
      a -> /home/a
      b -> /home/b

Users are identified by their home directory — we’ll use the conventional tilde from here on in. Because groups are directories, they can be nested:

  /groups/
    www/
      a -> ~a
      b -> ~b
      editor/
        c -> ~c
        d -> ~d

Here, a, b, c & d are part of www and c & d are additionally part of www/editor. Nesting groups with links has a slightly different implication:

  /groups/
    wheel/
       c -> ~c
       d -> ~d
    www/
      a -> ~a
      b -> ~b
      admin -> wheel

Once again, a, b, c & d are in www and c & d are in a special group, www/admin. Without unions, there’s no way to compose groups without creating new nested groups.

This system offers much of the flexibility of LDAP without the attendant confusion. Any filesystem object can be put in a group — allowing programs to have privileges that users do not, for example, to avoid the administrative shortcut of suid or sgid.

Advertisements

Post a Comment

You must be logged in to post a comment.
%d bloggers like this: