group permissions (was chroot ssh and ftp)
Dear Chris,
When you pointed out there would be no serious benefit by chrooting the users, I decided to hold this configuration for a while. To isolate the system will take some time, and some bureaucratics :) Now, for the permissions stated before, I got this until now: Professors belong to two groups, professors and students Students belong only to alumini Admins belong to all Then I run in professors /home/dirs the following command: chown -R :professors paul peter patrick chmod -R 700 paul peter patrick No need to SGID bit because their default group is professors. To students /home/dirs I did: chown -R :students sam simon sony chmod -R 770 sam simon sony chmod g+s sam simon sony Also, I edited /etc/pam.d/common-session and added session optional pam_umask.so umask=007 This way, new files would be created by default with rwxrwx--- And SGID will make them belong to students. The problem regarding people changing groups or permissions in the files is (very) poorly addressed with this script I made, to run as a cronjob twice a day: #!/bin/sh #----------------------------- begin cd /home THEUSERS=$(ls -1) #echo Cleaning the following users: $THEUSERS for USU in $THEUSERS; do #Its not staff if [ "$USU" != "alf" -a "$USU" != "art" -a "$USU" != "abbie" ]; then #echo found $USU, not admin #Is (s)he a student? if groups $USU | grep -q alumini; then #echo Cleaning $USU, student. chown -R $USU:student $USU chmod -R u+rw,g+rw,o-rwx $USU else #echo Cleaning $USU, professor. chown -R $USU:professor $USU chmod -R u+rw,g-rwx,o-rwx $USU fi fi done #----------------------------- end I believe chwon and chmod for students will quickly see no changes need and exit for each file in the recursion. Thats ok. The problem is that professor files start with 770 and they are always changed by the script to 700. Also, it would be better to run recursively inside each dir and check if the file really need a change, would it not? (*) Do you guys have any better idea to the script? (**) Is it possible to use professors default as 700 and students as 770? (And without the need of ACL, or if ACL is needed, can someone share some light on the subject)? Thanks for your attention, Beco -- Dr. Beco A.I. research, Cognitive Scientist and Philosopher Linux Counter #201942 -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: CALuYw2zH3XfROs+tfskU20+xTJcZzapW57AhKoyGgLAqJOWSH Q@mail.gmail.com">http://lists.debian.org/CALuYw2zH3XfROs+tfskU20+xTJcZzapW57AhKoyGgLAqJOWSH Q@mail.gmail.com |
group permissions (was chroot ssh and ftp)
Dr Beco <rcb@beco.cc> wrote:
> Now, for the permissions stated before, I got this until now: > Professors belong to two groups, professors and students > Students belong only to alumini > Admins belong to all > Then I run in professors /home/dirs the following command: > chown -R :professors paul peter patrick > chmod -R 700 paul peter patrick The problem with this is that you're making files executable. Personally I think you'd be better off just fixing just the professors' home directories. Failing that, just tweak the group and other permissions: chmod -R go= paul peter patrick > To students /home/dirs I did: > chown -R :students sam simon sony > chmod -R 770 sam simon sony > chmod g+s sam simon sony Again, here you're making files executable, and you'd be better off just tweaking the group and other permissions: find sam simon sony -type d -exec chmod g=rwx,o= {} ; find sam simon sony ! -type d -exec chmod g=u,g+r,o= {} ; In your script: > if groups $USU | grep -q alumini; then > #echo Cleaning $USU, student. > chown -R $USU:student $USU > chmod -R u+rw,g+rw,o-rwx $USU > #echo Cleaning $USU, professor. > chown -R $USU:professor $USU > chmod -R u+rw,g-rwx,o-rwx $USU > chmod -R u+rw,g+rw,o-rwx $USU the student user may want to have removed write permission from their own access, so I would be inclined to honour that with something like this: chown -R g=u,g+rw,o= As I've suggested earlier, you probably don't need to tweak any of the professors' files, but just enforce 0700 on each professor's home directory. Chris -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: v3ql49xq06.ln2@news.roaima.co.uk">http://lists.debian.org/v3ql49xq06.ln2@news.roaima.co.uk |
group permissions (was chroot ssh and ftp)
> To: debian-user lists.debian.org
> Subject: Re: group permissions (was chroot ssh and ftp) > From: Chris Davies > > Chris wrote: > The problem with this is that you're making files executable. Personally > I think you'd be better off just fixing just the professors' home > directories. Do you mean in the script (professor branch) something like: chown $USU:professor $USU chmod go= $USU This way one professor cannot see each others dirs, but inside home a file would be created (and stayed) like: rw-rw---- Right? Don't need the -R. > > chmod g+s sam simon sony > Again, here you're making files executable, and you'd be better off just > tweaking the group and other permissions: > * *find sam simon sony -type d -exec chmod g=rwx,o= {} ; > * *find sam simon sony ! -type d -exec chmod g=u,g+r,o= {} ; Nice touch. I changed the script to: if groups $USU | grep -q alumini; then #echo Cleaning $USU, student. chown -R $USU:student $USU find $USU -type d -exec chmod u=rwx,g=rwx,o= {} ; find $USU ! -type d -exec chmod u+r,g=u,g+w,o= {} ; else #echo Cleaning $USU, professor. chown $USU:professor $USU ;#not recursive chmod u=rwx,go= $USU ;#not recursive > the student user may want to have removed write permission from their own > access, so I would be inclined to honour that with something like this: > * *chown -R g=u,g+rw,o= Yes, thanks. I just add that students can wrongly do a u-r, so I added a u+r. Will this sequence work? u+r,g=u,g+w,o= I thought to add r to users, then copy r and possible x to groups, then add w to groups. I belive its ok, isn't it? > As I've suggested earlier, you probably don't need to tweak any of > the professors' files, but just enforce 0700 on each professor's home > directory. > Chris Yep! Great. Thanks, Beco -- Dr. Beco A.I. research, Cognitive Scientist and Philosopher Linux Counter #201942 -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: CALuYw2w6T0c0RJnKy1Zxsg7opWOqP7506xa7t0Q8G2e1c1hvc A@mail.gmail.com">http://lists.debian.org/CALuYw2w6T0c0RJnKy1Zxsg7opWOqP7506xa7t0Q8G2e1c1hvc A@mail.gmail.com |
group permissions (was chroot ssh and ftp)
Dr Beco <rcb@beco.cc> wrote:
> Do you mean in the script (professor branch) something like: > chown $USU:professor $USU > chmod go= $USU Yes. > This way one professor cannot see each others dirs, but inside home a > file would be created (and stayed) like: rw-rw---- > Right? Don't need the -R. Correct. > Yes, thanks. I just add that students can wrongly do a u-r, so I added > a u+r. Will this sequence work? Depending on the level of competence of your students, you might want to let them shoot themselves in the foot, and just fix up group/other permissions. (Good learning exercise, maybe.) Chris -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 71jo49xln4.ln2@news.roaima.co.uk">http://lists.debian.org/71jo49xln4.ln2@news.roaima.co.uk |
| All times are GMT. The time now is 02:48 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.