From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Furness Subject: Recursive groups anyone? Date: 13 Sep 2002 12:17:33 +0100 Sender: linux-admin-owner@vger.kernel.org Message-ID: <1031915854.1765.20.camel@Zebra> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: List-Id: Content-Type: text/plain; charset="us-ascii" To: admin Hi. I just spent a good hour scouring the Internet for this, and came up with a blank. Maybe someone on here has an answer... I'm looking to do something that is conceptually very simple: I want to create recursive entries in linux groups so that I can make groups members of other groups. For example: group1:x:1000:paul,matt,dave group2:x:1001:karen,sally,tara biggroup:x:1002:bossman,lampyman,group1,group2 I'm pretty sure that you can't do this normally, but _someone_ must have wanted to do this before. Does anyone know of any way of making this happen? If so, are there any good security reasons not to do it? Presumably, this is not a function of the file system (be it ext3, reiserfs, xfs or whatever) but rather the security modules in the kernel. What actually looks up group membership when you try and read a file? Does anyone have any thoughts on the ease (or not) of hacking that part of the kernel? Similar code already exists in sendmail and similar for mail groups. Hmm, I wonder how portable that might be? Another problem (which is a separate thing, I guess) is that if I change the group membership of someone, they have to log out and back in again to get their new groups showing. Does anyone know how to make this dynamic? I suppose another approach might be to write a front-end script that manipulates the group file (it's shared using NIS so I only have to do it one place) and allows me to easily manage group memberships and make people members of many, many groups (typically people are already in 5 or so groups.) I _could_ create a group for each group of files and then add people to all the groups they need access to, but that's bloody complicated to keep track of! Groups in groups would be _so_ much easier. Also, this still doesn't prevent the logging out / in thing. All the file systems are used by people over NFS, so there might also be a way of doing this at the NFS level, but I think that may be slower and I'd rather it worked on local file systems as well. This would, however, probably be dynamic so I could change memberships on the fly.... Any ideas anyone? Paul. -- Paul Furness Systems Manager 2+2=5 for extremely large values of 2.