LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-04-2006, 11:51 PM   #1
pcardout
Member
 
Registered: Jun 2003
Location: Socorro, New Mexico
Distribution: Debian ("lenny", "squeeze"), Ubuntu ("karmic", "oneiric")
Posts: 214

Rep: Reputation: 24
Allowing multiple users with shared userid to have different filesystem permissions


I am webmaster for our school.
The school pays for one Linux userid with a local ISP.
Our website runs out of /home/myschool/www.
Teachers and staff want to use subdirectories of this,
e.g.
/home/myschool/www/mrs_plum,
/home/myschool/www/principal,
/home/myschool/www/PTA.


However, I don't want them to accidentally trash the main web-site.
Has anyone come up with a linux facility with one login
but multiple passwords, in which the passwords set the
permissions?


I just want something like Linux groups, but groups work off
of userids. What if you've only got one? Any creative
ideas?
 
Old 05-05-2006, 04:44 AM   #2
Geocritter
Member
 
Registered: Jun 2005
Location: Richmond, Virginia
Distribution: Debian, Ubuntu, FreeBSD
Posts: 66

Rep: Reputation: 15
Interesting idea, and I can see where you are coming from; but to my knowledge, there is no way to do that with linux, unix, or even Windows for that matter. The problem is security. You would NEVER want multiple passwords to one account. Think how much fun a cracker would have with that one...several potential targets to let them into the same account, so all they'd have to do is start running a dictionary attack or whatnot, and would have multiple possibilities for getting in a wreaking havoc (or worse).

One thought, though, and off the top of my head and before my first cup of coffee this morning...I wonder *if* there is a way to password protect individual FOLDERS. That would kind of help solve your problem but in a roundabout way. Everybody logs in with the same user/pass, then goes to *their* own folder and has to enter an individual pass to get in. Granted, permissions for the users would be the same, but...everybody's individual folders would be safe from each other...

HTH,
d
 
Old 05-05-2006, 06:00 AM   #3
HGeneAnthony
Member
 
Registered: Mar 2003
Posts: 178

Rep: Reputation: 30
Reply

If I got the idea of what you want, and I just glazed it, you want a content management system like Mambo.

http://www.mamboserver.com/

These systems have the user update it through an interface in which they would sign on with a custom user/pass. You can then assign ACLs on the site declaring what user can do what. Sound right?
 
Old 05-07-2006, 02:00 AM   #4
pcardout
Member
 
Registered: Jun 2003
Location: Socorro, New Mexico
Distribution: Debian ("lenny", "squeeze"), Ubuntu ("karmic", "oneiric")
Posts: 214

Original Poster
Rep: Reputation: 24
Thanks for the clarity Geocritter -- even for a null result!

HGeneAnthony I looked at mambo -- interesting idea, but my ISP would have to let me run it, and then it's another learning curve for the teachers. What I am looking for exactly is Geocritter's password
protected folders. I suppose we could all share the main web-site password, so long as the administrator password protected the first few folders and have the teachers go to their own. Maybe all we can do is set-up our own machine with Apache, have our ISP host it, and create all the individual accounts we want. If anyone else has an idea of how
users can share a single account w/o trouncing eachother's work -- I'm all ears.
 
Old 05-07-2006, 02:12 AM   #5
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
I imagine that the purpose is to let the teachers and others post there own webpages.

I think it would be better if they ran linux on a local machine and the system replicated a user's ~/www folder into ISP's respective www/subfolder.

Last edited by jschiwal; 05-07-2006 at 02:18 AM.
 
Old 05-07-2006, 03:28 AM   #6
pcardout
Member
 
Registered: Jun 2003
Location: Socorro, New Mexico
Distribution: Debian ("lenny", "squeeze"), Ubuntu ("karmic", "oneiric")
Posts: 214

Original Poster
Rep: Reputation: 24
Thanks -- jschiwal-- Unfortunately, we inherited an all Windows infrastructure. The only thing running Linux here is our account on an ISP machine which we do not own. It may be that I need to buy a cheap machine and make it a
Linux web server and link to it from the web-site we are paying for. I don't happen to know how to set up a web-server -- but I'm sure I could figure it out. If you have any ideas that meet our restrictions -- I'm still interested.
 
Old 05-07-2006, 09:07 AM   #7
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
I don't think it would be too hard. There are plenty of books at Barnes and Nobles on LAMP (Linux Apache Mysql PHP). However, you may only need to set it up as an ftp server, so that the users can publish their webpages to it. Then have a service replicate from their account on your local server to the ISP's server. Posting a website uses ftp, so you don't even need apache installed. However being able to test your pages by browsing them on a local server would be convenient.

Another alternative is if each users computer was setup to publish to their own subdirectory on the ISP server. So the principle's computer is set up to publish to /home/myschool/www/principal on the ISP's server. The staff to /home/myschool/www/staff, etc.

Although this second alternative wouldn't be the best, because each user might be able to use the ftp command and do what ever they wanted to the entire site.

If you had a local server, then you could have each user and or group have their own account. The local server itself is what would have the credentials to connect to the ISP's server, and not any individual. So only one account would be needed at the ISP.

One thing that might be overlooked is if you have several users in the PTA group, for example, trying to modify the web pages for the PTA section. You may need to install some form of RCS at some point in the future. But is only one person in each group is responsible for their groups webpages, that wouldn't be a problem.
 
Old 05-07-2006, 09:32 AM   #8
HGeneAnthony
Member
 
Registered: Mar 2003
Posts: 178

Rep: Reputation: 30
Reply

Here's a few other ways you can go about this. One, if you use IIS it uses system accounts for authentication and then uses NTFS permissions to decide what they can do. Although this is better for authenticating users and deciding what pages they can access. Another concept might be using an FTP for file upload in which they would need their own user/pass. Using individual folders for specific users and a little ACL you can easily set up the permissions the way you want. This would be possible with Windows/Linux and IIS/Apache. You mentioned your ISP, are you using a virtual host or are you hosting it yourself? If you aren't hosting it the ISP might not allow multiple users and it won't be able to authenticate permissions by different password (Never heard of this anywhere). What I'd recommend, if you use a virtual host, is to set up a local web server using the methods I mentioned. Also set up Mambo (maybe) and have the users upload their stuff to that. If they're on the intranet they can view and interact with it, and then upload the files themselves. I would also look into an ISP that offers you PHP and MySQL and then use Mambo on it. You should be able to upload it. I doubt these users will use a MySQL database so this would allow them to create professional looking sleek sites with a nice ACL. It would make your job easier long term.
 
Old 05-07-2006, 06:04 PM   #9
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
They only have one UID at the ISPs server. It sounds like it might be a feature of their internet service.
His goals are A) protect the main data in /home/myschool/www/ and B) allow three users to access data in their respective

I just had a thought. I bet the ISP wouldn't mind having 3 entries in the /etc/passwd file that look like this:

plum:x:1000:1000:Mrs Plum:/home/myschool/www/mrs_plum:/bin/bash
principal:x:1000:100:The Principal:/home/myschool/www/principal:/bin/bash
pta:x:1000:100:The Principal:/home/myschool/www/PTA:/bin/bash

I'm not sure how well it would work, but if they just use the names and passwords for ftp authentication.

Another possibility is if the ftp server that the ISP uses can be set up to do it's own authentication from a list. Then the user "principal" could be given permission to up/download to /home/myschool/www/principal and user "pta" to directory /home/myschool/www/pta.

Also, they may allow other user UIDs if they are only ftp clients. The /etc/passwd file could be something like this:
plum:x:1001:1000:Mrs Plum:/home/myschool/www/mrs_plum:/bin/ftp
principal:x:1002:1000:The Principal:/home/myschool/www/principal:/bin/ftp
pta:x:1003:1000:The Principal:/home/myschool/www/PTA:/bin/ftp

One problem with this scheme is that these three users would need to enter the /home/myschool/ home directory. This could be solved with they were all members of the myschool group, or by using acls.
sudo setfacl -m u:plum:x /home/myschool /home/myschool/www
sudo setfacl -m u:principal:x /home/myschool /home/myschool/www
sudo setfacl -m u:pta:x /home/myschool /home/myschool/www
sudo chown principal /home/myschool/www/principal
sudo chown plum /home/myschool/www/plum
sudo chown pta /home/myschool/www/pta

Now Mrs. Plum can use whatever web design program she wants and publish to /home/myschool/www/plum/, but can't snoop into /home/myschool/www/principal/. One potential problem with this idea is if the ISPs webserver won't run the principal's or plum's web pages. ( Note, that I'm assuming that the main myschool web pages have links to the principal's and pta's and plum's web pages.

It's the public IP address, and the disk space that are the dearest resources from the ISPs point of view. Given that these users aren't using another IP address, and don't require more disk space on the server, the ISP may be willing to do this. They may also cut a school a bit of slack as a public service. The only thing they would be giving up would be 3 extra lines in the /etc/passwd and /etc/shadow files.

Last edited by jschiwal; 05-07-2006 at 07:24 PM.
 
Old 05-08-2006, 08:11 AM   #10
HGeneAnthony
Member
 
Registered: Mar 2003
Posts: 178

Rep: Reputation: 30
Reply

I still like the idea of doing a work on a private intranet where access controls can easily be implemented. Then the admin can upload the final results. There's plenty of ways this can be done.
 
Old 05-11-2006, 02:18 AM   #11
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Yes, I agree. Schools often have two problems that can complicate things. They may not have enough in the budget to purchase a computer, and have to wait for someone's desktop to be replaced so they can grab it. Some other schools have an exclusivity agreement with Microsoft or Apple, and are prohibited from installing any other operating system in the school.

Last edited by jschiwal; 05-11-2006 at 11:19 AM. Reason: fixed typo.
 
Old 05-11-2006, 05:24 PM   #12
HGeneAnthony
Member
 
Registered: Mar 2003
Posts: 178

Rep: Reputation: 30
Reply

If they don't have a dedicated server they can use an admin machine which is always on. Whether you're using Windows/Mac/Linux Apache will run on anything. You shouldn't have to worry about monopoly policies. This way you're not using another OS in the school, and there should be at least one machine that can host the site, even if it's not a dedicated machine. Same system, modify on the intranet and then upload. This really isn't that complicated of an issue.
 
  


Reply

Tags
shared, userid, websites


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
not allowing me to login as other users madamson Solaris / OpenSolaris 7 10-07-2005 05:49 AM
Apache newb here ... allowing users to DL multiple files? TheVrolok Linux - Software 0 10-14-2004 01:12 PM
One shared folder for multiple ftp users -- vsftpd rover Linux - Networking 0 06-17-2004 06:07 AM
Preventing multiple logins (of same userid) on RH73 hawk2xl Linux - Security 2 03-23-2004 10:45 AM
Allowing Users commands Atroxic Linux - Newbie 2 02-01-2002 11:06 PM


All times are GMT -5. The time now is 03:37 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration