3

I'm new with Linux and I worked on permissions recently. I'd like to find out if it is possible to schedule permission changes and how can it be done? I mean if I want to give say a group, access to a particular directory or file but I only want them to have it for one hour due to the work that needs to be done, is there a way for me to schedule an automatic change of permissions once that one hour is up? Thank you.

Improve this question
New contributor
Temiloluwa Akinlabi is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct.
0

2 Answers 2

Reset to default
11

Because that just came up:

Generally, what you want is impossible with standard permission mechanisms.

While there are many ways to execute something at a given time, changing the permissions of a file that a process already has opened does not at all affect the process' abilities to modify the file.

So if you say something like "Make the file read+writable for user X. At 13:00, make the file read-only for user X", and user X opens the file for writing at 12:59, they will still be able to write to the opened file at 13:00, 13:01 or 23:59.

The file permission mechanism affects how a file can be opened. As soon as a program has a valid file handle to a file (e.g., through opening), changing permissions don't matter anymore. The time-of-check for permissions is only when the file is opened.

It does sound like you have something like temporary capability-based access controls in mind, but these are implemented very differently than what you describe. Maybe ask a new, different, question, which explains, in a much bigger picture (what kind organization are you in? Who decides who gets access? To what?) and ask how such systems are generally implemented on Linux.

Improve this answer
4

You are probably looking for the at command. For example

chmod g+rwx /home/foo
echo "chmod g-rwx /home/foo" | at now +1hour

Change the chmod arguments to fit your particular need. The first command obviously sets the desired temporary permissions, the second schedules the reverse command to be executed one hour from now.

Improve this answer
7
  • 7
    Beware that processes that have files or directories opened (including as their current working directory) will retain access to them after that chmod g-rwx. The check for permission is done at opening (or chdir) time. So you'd likely also want to kill the sessions of those users after the chmod g-rwx. Commented Oct 21 at 18:14
  • 4
    Beware at is not installed by default (despite it being a non-optional POSIX command) in recent versions of Debian. You may need a sudo apt install at. Commented Oct 21 at 18:15
  • @StéphaneChazelas I did not realize that at wasn't installed by default - good catch. Interesting question, at least to me, is if a user has a file open in vi or some other editor that keeps a second temp file open for editing and copies that file back to the original location when done, what happens if the directory and/or original file no longer allows writes? Commented Oct 21 at 18:19
  • 2
    I suppose the idea is that you're expected to use systemd-run or something like that which avoids having to run another daemon. Commented Oct 21 at 18:20
  • 3
    Related: using systemd-run to replace 'at' commands Commented Oct 21 at 18:28

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.