As we have been discussing, you should avoid letting users run as root unless absolutely necessary. If a user's special needs are limited to data access, it may be possible to manipulate permissions and provide the capabilities they require. 

Group Permissions

If the data is in a directory which is accessible to the user, group permissions may be sufficient to provide the access required. The simplest method is to

• create a special group and place the user in that group.
• change the group of the data to the special group
• provide the required access using the group permissions of the data

A more modern approach than using a special group is to use an access control list to provide the access required. You may also find that using the file attributes a and i provide an additional layer of support. (ACLs and attributes will be discussed in a couple of weeks). Both of these solutions have two drawbacks that must be kept in mind

• if the data is a standard piece of data that is subject to replacement, its group and permissions may revert to the original at that time. In addition, a backup and restore of a file with an access control list may lose the ACL and/or attributes if it is not done carefully. This is especially true if the data is copied to another *nix system that does not support these extended capabilities.
  
• there is no logging of the user's actions. This drawback hampers the use of this technique for extremely sensitive system files.

Use of a special group to manage data among a group of people is complemented by the use a set-group-id directory. If the directory is set-group-id, any new files created in it are also placed in that group.

We discuss set-user-id and set-group-id later in this module.