> Off the cuff: all student dirs have a group owner of "professors" with
> rwx perm, and students are not in that group.
> Professors are in group "professors" and the group owner of their dirs
> is "professors" but the perms for group are blank (or make the group
> owner "admins" or something).
> Make use of sgid and umask so everything stays proper. Not sure about
> chrooting. Is that really needed?
> I think that should work if you just want to stop casual
> interference/reading. If you want to presume that students and/or
> professors may mount sophisticated, persistent attacks, you need to
> setup much more serious security, probably including ACLs,
> Capabilities, SELinux, restricted shells, etc.
> I am not a security expert at all, salt to taste.
> Kelly Clowers
Hi Kelly, hi guys,
Thanks for the explanation. I never used SUID, GUID and UMASK, so I
did some research about it here . I see that this could probably
work. It's weird though to have a student issue the command
and see his files owned by him, and group professor, him being a student.
-rwx------ 3 sam professor 4kB Mar 29 15:59 studsamfile.txt
But I think I can do the same by letting students in group student,
and adding all professors to that group also, can't I?
Lets say this examples here:
I wonder, can't a student simple give the command chown and make a
mess with it all?
Now, maybe this group permission is a good way to deal with who can
see what, but the main point of the thread  is CHROOTing the users
inside /home. Yes, Kelly, I do believe they can cause
(non-sophisticated) problems, because I saw some history commands
(like this one I can't explain: $explode professor's computer,
hopefully I did not had 'explode' package installed, and all the
student got was a 'command not found'). Also, this server has a very
fast link with a governmental institution that must be preserved by
outsider's attacks (that can be a little more sophisticated).
I'll not install ACL or SELinux, but if by restricted shell you mean
chroot a system, then yes. Lets get back on track.
>From  I got that to keep ftp on /home is easy. But the site is
for debian lenny.
I just need a working sftp to change to
Match Group users
And quote: "If you chroot multiple users to the same directory, but
don't want the users to browse the home directories of the other
users, you can change the permissions of each home directory as
$chmod 700 /home/falko
Now this chmod may conflict with the previous solution.
Still  tells me there is a script that helps locking a user to the
home directory. Is this the procedure to follow in debian squeeze?
$chmod 700 /usr/local/sbin/make_chroot_jail.sh
In  I found that I need to manually copy a lot of programs to the
new root. Do I really need that? Is there an easy way to prevent
something like $cd .. from a user in his dir?
 Maybe I did asked for a solution to a problem that should be
addressed in both ways: group perms and chroot. If that is the case, a
moderator might want to split the thread to something like: group
permissions (was chroot ssh and ftp)
A.I. research, Cognitive Scientist and Philosopher
Linux Counter #201942
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org
Archive: CALuYw2z430=170Z5R++N21G+iCb=T_EMbQupV_jG031mWMWP3 email@example.com">http://lists.debian.org/CALuYw2z430=170Z5R++N21G+iCb=T_EMbQupV_jG031mWMWP3 firstname.lastname@example.org