On Thu, May 11, 2000 at 09:53:07AM -0400, Ed.Q.Bridges wrote:
<snip>
> * create a group for each user (like, for user "joe",
> make a group called "joegroup"). the only members of
> each group are the user themself and webmister.
> set the permissions such that each item you want webmister
> to access has the group write bit set. the downside
> to this is that it's a maintenance headace if you've
> got a lot of users for which you have to create groups
> for.
most distros do this by default with the so called `user private
group' setup, the problem with this is usually the user has a 00?
umask and all there files/home dir is owned by this group, so if
anyone else is a member of this group they have full read-write access
to all the users files..
> * if webmister only needs to do a few simple things in each
> user's directories, you could grant sudo access to those
> commands (if you're able to install sudo), say for vi
^^^^^^
careful! vi allows shell escapes, letting someone run vi as root is
the same as letting them have a root shell!
> to edit files, or cp to copy files. this is a difficult
> scenario because you're basically running those commands
> as root. if you were only having to copy files on a regular
sudo iirc allows you do sudo to other users then root for commands,
but you still have the same problem with vi, running vi as user foo is
the same as giving a user foo shell.
<snip>
> you've basically stumbled onto one of the weak areas of unix
> security, and one which people usually throw up there hands
> about and chmod everything to 777. hang in there :)
what you need is ACLs, there is a ACL patch for linux around
somewhere, im not sure if it still works or not. ext2 had room for
acls for a long time but lacked kernel support, then the filesystem
space was hijacked for huge file support. im not sure where that
leaves acls...
maybe they will take the opertunity of ext3 to take care of adding
this missing filesystem stuff like capability bits and acls...
--
Ethan Benson
http://www.alaska.net/~erbenson/
