0

I have a release area that I (not a super user) manage. Nominally the privileges are 444 (Only read access for myself, group, and everyone). I don't want myself or a group to nominally have write access.

When I do a new release I need to allow myself to add to the directory (chmod 644 my_dir). When I'm done, I change it back. (chmod 444 my_dir)

This works fine except when I'm gone or get hit by a bus. What I'd like is group that could do this (e.g. tool_admins). However, if something has 444 privileges, only I, the owner of the directory, am allowed to change the privileges.

Is there any way to do this? The only way I could think of is for everyone to have a separate 'tool_admin' user that they could log into only when they are doing admin things. (e.g. nanotek_tool_admin) and the privileges be 774 nominally. But that seems ridiculous.

nanotek
  • 101
  • 2
  • What do you perceive as the benefit of *"myself or a group to nominally have [no] write access"*, while still occasionally changing the permissions of this directory? IOW this seems to be your solution to some problem. What is the problem that this is supposed to solve? Perhaps instead of a `release directory`, you need a `release tarball`, i.e. an actual archive file, which is write-protected and its integrity can be verified with a checksum. – sawdust Aug 15 '19 at 23:50
  • We currently have full compiled releases of our tool(s), and people internally can easily switch versions (common) they are running with minimal overhead. I don't want read access nominally because accidents and bugs happen. We do have backups, but that's not the point. I'd like it if there was more than just me that could manage this area – nanotek Aug 16 '19 at 03:14

0 Answers0