topic Re: Contolling the directory access for the AD users on linux based SASApp server in Administration and Deployment

Contolling the directory access for the AD users on linux based SASApp server

ktkv5 — Tue, 16 Feb 2016 16:35:02 GMT

In our setup, the windows users dont have Linux presence and we are using the PAM authentication to authenticate them. I would like to create 2 directories DirA abd DirB, which are owned by GrpA and GrpB users respectively. Lets say I have 3 users X@abc.com,Y@ABC.com and Z@ABC.com and X is a member of GrpA and Y is a member of GrpB and Z is a member of both the groups. How can I achieve this in Unix?

Re: Contolling the directory access for the AD users on linux based SASApp server

Timmy2383 — Tue, 16 Feb 2016 16:42:54 GMT

If I understand you correctly, I think it would be something like the following.

You need to have the Linux groups created (GrpA/GrpB) and then have each user added to their respective group (presumably their GID, primary group, would be either GrpA or GrpB).

Then you need to create DirA and DirB and change the group ownership of the DirA and DirB to GrpA and GrpB. So something like: "chgrp GrpA /DirA"

So long as the user is a member of the appropriate group and the directory has execute permissions for the group that owns it they should have access to those directories.

Re: Contolling the directory access for the AD users on linux based SASApp server

ktkv5 — Tue, 16 Feb 2016 16:50:27 GMT

Yes Tim. Exactly!!! These users only have the windows presence and using SAS only through EG. If they place any external file in these directories only the members of that group should be able to see the files. I have created dirA and GrpA and changed the ownership of dirA to grpA and placed a file in that directory, modified the permissions to 770. If I login as userB I am able to see files under the dirA. Dont know what I am missing here

Re: Contolling the directory access for the AD users on linux based SASApp server

Timmy2383 — Tue, 16 Feb 2016 16:53:25 GMT

Can you show me current permissions for DirA and then issue the following commands send me the ouput?

id UserA
id UserB

Re: Contolling the directory access for the AD users on linux based SASApp server

ktkv5 — Tue, 16 Feb 2016 17:00:10 GMT

Current permissions for DirA is drwxrwx---+ and I apologize as I cannot send the output of the next commands as its sensitive data.

Re: Contolling the directory access for the AD users on linux based SASApp server

Timmy2383 — Tue, 16 Feb 2016 17:03:33 GMT

The only reason UserB should be able to access DirA, with the permissions as they are, is because UserB is in GrpA. You need to check the groups of UserB.

If you issue "groups UserB" is GrpA in the list?

Re: Contolling the directory access for the AD users on linux based SASApp server

ktkv5 — Tue, 16 Feb 2016 17:06:01 GMT

No. GroupA is not listed for the userB

Re: Contolling the directory access for the AD users on linux based SASApp server

Timmy2383 — Tue, 16 Feb 2016 17:07:34 GMT

How are you verifying that UserB can access DirA?

Re: Contolling the directory access for the AD users on linux based SASApp server

ktkv5 — Tue, 16 Feb 2016 17:10:30 GMT

I have logged in SAS EG as userB and expanded SASApp server> files> dirA and I can consume the file in my SAS code

Re: Contolling the directory access for the AD users on linux based SASApp server

Timmy2383 — Tue, 16 Feb 2016 17:14:43 GMT

I just noticed, you sent me the permissions for /DirA but not the long listing that shows the owner and group. Can you show that as well?

Can you putty into the server and see the SAS process for your session? Can you verify that's actually running under UserB and not one of the SAS service accounts (like sassrv)?

Re: Contolling the directory access for the AD users on linux based SASApp server

ktkv5 — Tue, 16 Feb 2016 17:17:48 GMT

Hi Tim,

Please find the info asked

drwxrwx---+ 2 sasadmin dirA 4096 Feb 10 19:17 dirA

Re: Contolling the directory access for the AD users on linux based SASApp server

Timmy2383 — Tue, 16 Feb 2016 17:25:12 GMT

I'm not too familiar with them, but the "+" at the end of your permissions string may indicate that you have ACLs (Access Control Lists) implemented. If I understand ACLs correctly, these could potentially be overriding the OS permissions you're trying to set. You might want to get with your Unix Admins to see if the ACLs may be overriding what you're trying to do.

Re: Contolling the directory access for the AD users on linux based SASApp server

ktkv5 — Tue, 16 Feb 2016 17:26:57 GMT

Sure Tim. I think thats whats happening. let me check with them and see what's going on