Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian User (http://www.linux-archive.org/debian-user/)
-   -   group permissions (was chroot ssh and ftp) (http://www.linux-archive.org/debian-user/651279-group-permissions-chroot-ssh-ftp.html)

Dr Beco 04-01-2012 12:47 AM

group permissions (was chroot ssh and ftp)
 
Dear Chris,

When you pointed out there would be no serious benefit by chrooting
the users, I decided to hold this configuration for a while. To
isolate the system will take some time, and some bureaucratics :)

Now, for the permissions stated before, I got this until now:

Professors belong to two groups, professors and students
Students belong only to alumini
Admins belong to all

Then I run in professors /home/dirs the following command:
chown -R :professors paul peter patrick
chmod -R 700 paul peter patrick
No need to SGID bit because their default group is professors.

To students /home/dirs I did:
chown -R :students sam simon sony
chmod -R 770 sam simon sony
chmod g+s sam simon sony

Also, I edited /etc/pam.d/common-session and added
session optional pam_umask.so umask=007
This way, new files would be created by default with rwxrwx---
And SGID will make them belong to students.

The problem regarding people changing groups or permissions in the
files is (very) poorly addressed with this script I made, to run as a
cronjob twice a day:


#!/bin/sh
#----------------------------- begin
cd /home
THEUSERS=$(ls -1)
#echo Cleaning the following users: $THEUSERS

for USU in $THEUSERS; do
#Its not staff
if [ "$USU" != "alf" -a "$USU" != "art" -a "$USU" != "abbie" ]; then
#echo found $USU, not admin
#Is (s)he a student?
if groups $USU | grep -q alumini; then
#echo Cleaning $USU, student.
chown -R $USU:student $USU
chmod -R u+rw,g+rw,o-rwx $USU
else
#echo Cleaning $USU, professor.
chown -R $USU:professor $USU
chmod -R u+rw,g-rwx,o-rwx $USU
fi
fi
done
#----------------------------- end



I believe chwon and chmod for students will quickly see no changes
need and exit for each file in the recursion. Thats ok.
The problem is that professor files start with 770 and they are always
changed by the script to 700.

Also, it would be better to run recursively inside each dir and check
if the file really need a change, would it not?

(*) Do you guys have any better idea to the script?
(**) Is it possible to use professors default as 700 and students as
770? (And without the need of ACL, or if ACL is needed, can someone
share some light on the subject)?


Thanks for your attention,
Beco



--
Dr. Beco
A.I. research, Cognitive Scientist and Philosopher
Linux Counter #201942


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CALuYw2zH3XfROs+tfskU20+xTJcZzapW57AhKoyGgLAqJOWSH Q@mail.gmail.com">http://lists.debian.org/CALuYw2zH3XfROs+tfskU20+xTJcZzapW57AhKoyGgLAqJOWSH Q@mail.gmail.com

Chris Davies 04-01-2012 11:17 AM

group permissions (was chroot ssh and ftp)
 
Dr Beco <rcb@beco.cc> wrote:
> Now, for the permissions stated before, I got this until now:

> Professors belong to two groups, professors and students
> Students belong only to alumini
> Admins belong to all

> Then I run in professors /home/dirs the following command:
> chown -R :professors paul peter patrick
> chmod -R 700 paul peter patrick

The problem with this is that you're making files executable. Personally
I think you'd be better off just fixing just the professors' home
directories. Failing that, just tweak the group and other permissions:

chmod -R go= paul peter patrick


> To students /home/dirs I did:
> chown -R :students sam simon sony
> chmod -R 770 sam simon sony
> chmod g+s sam simon sony

Again, here you're making files executable, and you'd be better off just
tweaking the group and other permissions:

find sam simon sony -type d -exec chmod g=rwx,o= {} ;
find sam simon sony ! -type d -exec chmod g=u,g+r,o= {} ;


In your script:
> if groups $USU | grep -q alumini; then
> #echo Cleaning $USU, student.
> chown -R $USU:student $USU
> chmod -R u+rw,g+rw,o-rwx $USU
> #echo Cleaning $USU, professor.
> chown -R $USU:professor $USU
> chmod -R u+rw,g-rwx,o-rwx $USU
> chmod -R u+rw,g+rw,o-rwx $USU

the student user may want to have removed write permission from their own
access, so I would be inclined to honour that with something like this:

chown -R g=u,g+rw,o=


As I've suggested earlier, you probably don't need to tweak any of
the professors' files, but just enforce 0700 on each professor's home
directory.

Chris


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: v3ql49xq06.ln2@news.roaima.co.uk">http://lists.debian.org/v3ql49xq06.ln2@news.roaima.co.uk

Dr Beco 04-01-2012 03:14 PM

group permissions (was chroot ssh and ftp)
 
> To: debian-user lists.debian.org
> Subject: Re: group permissions (was chroot ssh and ftp)
> From: Chris Davies
>
> Chris wrote:
> The problem with this is that you're making files executable. Personally
> I think you'd be better off just fixing just the professors' home
> directories.

Do you mean in the script (professor branch) something like:

chown $USU:professor $USU
chmod go= $USU

This way one professor cannot see each others dirs, but inside home a
file would be created (and stayed) like: rw-rw----
Right? Don't need the -R.



> > chmod g+s sam simon sony
> Again, here you're making files executable, and you'd be better off just
> tweaking the group and other permissions:
> * *find sam simon sony -type d -exec chmod g=rwx,o= {} ;
> * *find sam simon sony ! -type d -exec chmod g=u,g+r,o= {} ;

Nice touch. I changed the script to:


if groups $USU | grep -q alumini; then
#echo Cleaning $USU, student.
chown -R $USU:student $USU
find $USU -type d -exec chmod u=rwx,g=rwx,o= {} ;
find $USU ! -type d -exec chmod u+r,g=u,g+w,o= {} ;
else
#echo Cleaning $USU, professor.
chown $USU:professor $USU ;#not recursive
chmod u=rwx,go= $USU ;#not recursive


> the student user may want to have removed write permission from their own
> access, so I would be inclined to honour that with something like this:
> * *chown -R g=u,g+rw,o=

Yes, thanks. I just add that students can wrongly do a u-r, so I added
a u+r. Will this sequence work?
u+r,g=u,g+w,o=
I thought to add r to users, then copy r and possible x to groups,
then add w to groups. I belive its ok, isn't it?


> As I've suggested earlier, you probably don't need to tweak any of
> the professors' files, but just enforce 0700 on each professor's home
> directory.
> Chris

Yep! Great.

Thanks,

Beco



--
Dr. Beco
A.I. research, Cognitive Scientist and Philosopher
Linux Counter #201942


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CALuYw2w6T0c0RJnKy1Zxsg7opWOqP7506xa7t0Q8G2e1c1hvc A@mail.gmail.com">http://lists.debian.org/CALuYw2w6T0c0RJnKy1Zxsg7opWOqP7506xa7t0Q8G2e1c1hvc A@mail.gmail.com

Chris Davies 04-02-2012 12:35 PM

group permissions (was chroot ssh and ftp)
 
Dr Beco <rcb@beco.cc> wrote:
> Do you mean in the script (professor branch) something like:
> chown $USU:professor $USU
> chmod go= $USU

Yes.

> This way one professor cannot see each others dirs, but inside home a
> file would be created (and stayed) like: rw-rw----
> Right? Don't need the -R.

Correct.



> Yes, thanks. I just add that students can wrongly do a u-r, so I added
> a u+r. Will this sequence work?

Depending on the level of competence of your students, you might want
to let them shoot themselves in the foot, and just fix up group/other
permissions. (Good learning exercise, maybe.)

Chris


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 71jo49xln4.ln2@news.roaima.co.uk">http://lists.debian.org/71jo49xln4.ln2@news.roaima.co.uk


All times are GMT. The time now is 11:46 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.