LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Allowing multiple users with shared userid to have different filesystem permissions (https://www.linuxquestions.org/questions/linux-security-4/allowing-multiple-users-with-shared-userid-to-have-different-filesystem-permissions-441767/)

pcardout 05-04-2006 11:51 PM

Allowing multiple users with shared userid to have different filesystem permissions
 
I am webmaster for our school.
The school pays for one Linux userid with a local ISP.
Our website runs out of /home/myschool/www.
Teachers and staff want to use subdirectories of this,
e.g.
/home/myschool/www/mrs_plum,
/home/myschool/www/principal,
/home/myschool/www/PTA.


However, I don't want them to accidentally trash the main web-site.
Has anyone come up with a linux facility with one login
but multiple passwords, in which the passwords set the
permissions?


I just want something like Linux groups, but groups work off
of userids. What if you've only got one? Any creative
ideas?

Geocritter 05-05-2006 04:44 AM

Interesting idea, and I can see where you are coming from; but to my knowledge, there is no way to do that with linux, unix, or even Windows for that matter. The problem is security. You would NEVER want multiple passwords to one account. Think how much fun a cracker would have with that one...several potential targets to let them into the same account, so all they'd have to do is start running a dictionary attack or whatnot, and would have multiple possibilities for getting in a wreaking havoc (or worse).

One thought, though, and off the top of my head and before my first cup of coffee this morning...I wonder *if* there is a way to password protect individual FOLDERS. That would kind of help solve your problem but in a roundabout way. Everybody logs in with the same user/pass, then goes to *their* own folder and has to enter an individual pass to get in. Granted, permissions for the users would be the same, but...everybody's individual folders would be safe from each other...

HTH,
d

HGeneAnthony 05-05-2006 06:00 AM

Reply
 
If I got the idea of what you want, and I just glazed it, you want a content management system like Mambo.

http://www.mamboserver.com/

These systems have the user update it through an interface in which they would sign on with a custom user/pass. You can then assign ACLs on the site declaring what user can do what. Sound right?

pcardout 05-07-2006 02:00 AM

Thanks for the clarity Geocritter -- even for a null result!

HGeneAnthony I looked at mambo -- interesting idea, but my ISP would have to let me run it, and then it's another learning curve for the teachers. What I am looking for exactly is Geocritter's password
protected folders. I suppose we could all share the main web-site password, so long as the administrator password protected the first few folders and have the teachers go to their own. Maybe all we can do is set-up our own machine with Apache, have our ISP host it, and create all the individual accounts we want. If anyone else has an idea of how
users can share a single account w/o trouncing eachother's work -- I'm all ears.

jschiwal 05-07-2006 02:12 AM

I imagine that the purpose is to let the teachers and others post there own webpages.

I think it would be better if they ran linux on a local machine and the system replicated a user's ~/www folder into ISP's respective www/subfolder.

pcardout 05-07-2006 03:28 AM

Thanks -- jschiwal-- Unfortunately, we inherited an all Windows infrastructure. The only thing running Linux here is our account on an ISP machine which we do not own. It may be that I need to buy a cheap machine and make it a
Linux web server and link to it from the web-site we are paying for. I don't happen to know how to set up a web-server -- but I'm sure I could figure it out. If you have any ideas that meet our restrictions -- I'm still interested.

jschiwal 05-07-2006 09:07 AM

I don't think it would be too hard. There are plenty of books at Barnes and Nobles on LAMP (Linux Apache Mysql PHP). However, you may only need to set it up as an ftp server, so that the users can publish their webpages to it. Then have a service replicate from their account on your local server to the ISP's server. Posting a website uses ftp, so you don't even need apache installed. However being able to test your pages by browsing them on a local server would be convenient.

Another alternative is if each users computer was setup to publish to their own subdirectory on the ISP server. So the principle's computer is set up to publish to /home/myschool/www/principal on the ISP's server. The staff to /home/myschool/www/staff, etc.

Although this second alternative wouldn't be the best, because each user might be able to use the ftp command and do what ever they wanted to the entire site.

If you had a local server, then you could have each user and or group have their own account. The local server itself is what would have the credentials to connect to the ISP's server, and not any individual. So only one account would be needed at the ISP.

One thing that might be overlooked is if you have several users in the PTA group, for example, trying to modify the web pages for the PTA section. You may need to install some form of RCS at some point in the future. But is only one person in each group is responsible for their groups webpages, that wouldn't be a problem.

HGeneAnthony 05-07-2006 09:32 AM

Reply
 
Here's a few other ways you can go about this. One, if you use IIS it uses system accounts for authentication and then uses NTFS permissions to decide what they can do. Although this is better for authenticating users and deciding what pages they can access. Another concept might be using an FTP for file upload in which they would need their own user/pass. Using individual folders for specific users and a little ACL you can easily set up the permissions the way you want. This would be possible with Windows/Linux and IIS/Apache. You mentioned your ISP, are you using a virtual host or are you hosting it yourself? If you aren't hosting it the ISP might not allow multiple users and it won't be able to authenticate permissions by different password (Never heard of this anywhere). What I'd recommend, if you use a virtual host, is to set up a local web server using the methods I mentioned. Also set up Mambo (maybe) and have the users upload their stuff to that. If they're on the intranet they can view and interact with it, and then upload the files themselves. I would also look into an ISP that offers you PHP and MySQL and then use Mambo on it. You should be able to upload it. I doubt these users will use a MySQL database so this would allow them to create professional looking sleek sites with a nice ACL. It would make your job easier long term.

jschiwal 05-07-2006 06:04 PM

They only have one UID at the ISPs server. It sounds like it might be a feature of their internet service.
His goals are A) protect the main data in /home/myschool/www/ and B) allow three users to access data in their respective

I just had a thought. I bet the ISP wouldn't mind having 3 entries in the /etc/passwd file that look like this:

plum:x:1000:1000:Mrs Plum:/home/myschool/www/mrs_plum:/bin/bash
principal:x:1000:100:The Principal:/home/myschool/www/principal:/bin/bash
pta:x:1000:100:The Principal:/home/myschool/www/PTA:/bin/bash

I'm not sure how well it would work, but if they just use the names and passwords for ftp authentication.

Another possibility is if the ftp server that the ISP uses can be set up to do it's own authentication from a list. Then the user "principal" could be given permission to up/download to /home/myschool/www/principal and user "pta" to directory /home/myschool/www/pta.

Also, they may allow other user UIDs if they are only ftp clients. The /etc/passwd file could be something like this:
plum:x:1001:1000:Mrs Plum:/home/myschool/www/mrs_plum:/bin/ftp
principal:x:1002:1000:The Principal:/home/myschool/www/principal:/bin/ftp
pta:x:1003:1000:The Principal:/home/myschool/www/PTA:/bin/ftp

One problem with this scheme is that these three users would need to enter the /home/myschool/ home directory. This could be solved with they were all members of the myschool group, or by using acls.
sudo setfacl -m u:plum:x /home/myschool /home/myschool/www
sudo setfacl -m u:principal:x /home/myschool /home/myschool/www
sudo setfacl -m u:pta:x /home/myschool /home/myschool/www
sudo chown principal /home/myschool/www/principal
sudo chown plum /home/myschool/www/plum
sudo chown pta /home/myschool/www/pta

Now Mrs. Plum can use whatever web design program she wants and publish to /home/myschool/www/plum/, but can't snoop into /home/myschool/www/principal/. One potential problem with this idea is if the ISPs webserver won't run the principal's or plum's web pages. ( Note, that I'm assuming that the main myschool web pages have links to the principal's and pta's and plum's web pages.

It's the public IP address, and the disk space that are the dearest resources from the ISPs point of view. Given that these users aren't using another IP address, and don't require more disk space on the server, the ISP may be willing to do this. They may also cut a school a bit of slack as a public service. The only thing they would be giving up would be 3 extra lines in the /etc/passwd and /etc/shadow files.

HGeneAnthony 05-08-2006 08:11 AM

Reply
 
I still like the idea of doing a work on a private intranet where access controls can easily be implemented. Then the admin can upload the final results. There's plenty of ways this can be done.

jschiwal 05-11-2006 02:18 AM

Yes, I agree. Schools often have two problems that can complicate things. They may not have enough in the budget to purchase a computer, and have to wait for someone's desktop to be replaced so they can grab it. Some other schools have an exclusivity agreement with Microsoft or Apple, and are prohibited from installing any other operating system in the school.

HGeneAnthony 05-11-2006 05:24 PM

Reply
 
If they don't have a dedicated server they can use an admin machine which is always on. Whether you're using Windows/Mac/Linux Apache will run on anything. You shouldn't have to worry about monopoly policies. This way you're not using another OS in the school, and there should be at least one machine that can host the site, even if it's not a dedicated machine. Same system, modify on the intranet and then upload. This really isn't that complicated of an issue.


All times are GMT -5. The time now is 09:15 PM.