Hi everyone.
I was craking my head searching any answer, but i cant find anything.

I have shared folders in a server, this server have 6 users (nfs mounted) and i need that 2 users be superviser of their area. but the superviser must no be root users

EXAMPLE:

Group :FLINSTONE
FRED
Vilma
bambam

Group :SIMPSON
HOMER
Lisa
Bart

FRED must admin Vilma & bambam files (read, write, edit, change owner, like root) located into Vilma & bambam folders. Obviously Vilma and bambam cant edit FRED files. FRED must DONT HAVE access to SIMPSON folder.

As same way
HOMER need supervise, ( edit, read, write change owner like root) files of Lisa and Bart. Lisa and Bart have limited acces. And HOMER cant read FLINSTONES folders.


I remember in old novel 4.0 was possible. In linux using stiky bit, and ACL i can have right users access, but i cant find how FRED and HOMER can be supervisor of determined group.

Any ideas???? THANKS in advance!!!!

well in terms of just implementing this on normal posix attributes, just have all all users in their own dedicated group and only add homer to the additional simpsons group, and fred to the flintstones ones. This may have implications on the other user attributes but from what you've given us, that does cover it.

s/Vilma/Wilma/g ;-)

thanks i will try that.

wilma jejeje i remember spanish names jejejeje

If you don't want the Simpsons to be able to access the files belonging to the Flintstones, and vice-versa, then I'd put all of the Simpsons in one group, but make Homer the owner of all the files, and set the POSIX permissions on the files/directories as appropriate. Then do the same for the Flintstones, with all of the members in the Flintstone group, and Fred owning all the files.

If you want Fred and Homer to be able to chown files created by their family members, you're going to have to give them a method to do it. Only root and a file's owner can chown a file. Here's how I'd do it for Fred:

1) Create a script that chowns all files belonging to the Flintstones (let's say they're all at /mnt/Flintstones).
2) Make root the owner of the script, and the only user who can execute it.
3) Create a sudoers rule that allows Fred to run only that script.

Now he can take ownership of all the files in /mnt/Flintstones, and admin them to his heart's content, but he has no way to take control of anything in /mnt/Simpsons. Homer would then get a different script and sudoer rule.

so what's wrong with my suggestion? You didn't mention that the files GROUP can also have a rights level as well as the USER.

I don't know what's wrong with your suggestion. That's for schlabs to decide.

I think if you read it again, I'm pretty sure you'll find a mention of groups in there. In fact, if you follow what I'm saying, then you'd realize that GROUP permissions are the whole point.

no problem i will try all suggestion the sunday.

HOMER is a section chief of quality section of a company, so he need manage workers files ( Lisa & bart) like root. The workers generate files all time

FRED is the chief of research section of the same company.

Scripting is a valid option, admin work is not everytime done. Scripting be configured but is preferible as last resource.Can be a cron job too.

Obviously i prefer the automatic things. That HOMER can say this Lisa work to be continuated by Bart without any wait or task.

Sincerely thanks, i will try all

yes but in your method once an arbitrary script has been executed, the other normal users can no longer edit their own file. That makes no sense. There is no need for any sudoing or anything.

Ummm... group write attribute??

if the non-special users are not in that group then they can't write to it. Just because there are seen two be two groups of users here, doesn't mean users in that logical group need to be in the same posix group.

Look, I'm not going to argue with you, because the thread is not about you. If the OP has any questions for me, I'll be happy to answer them.

who said anything about arguing???

how HOMER become special user???

you just log in as them, nothing special there.

is possible make a modified chown
This script suid root can verify the user identity and if UID is a section admin allow owner change.

The admins can be
/etc/admin
with the content
HOMER
FRED

This need console mode, but is one way to do simple.