LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Creating a group hierarchy? (http://www.linuxquestions.org/questions/linux-security-4/creating-a-group-hierarchy-205736/)

statuszero 07-16-2004 04:47 AM

Creating a group hierarchy?
 
Hi,
I would like to apologise if this has been asked before but I am completely new to linux and teh search results leave me a little lost.

Is it possible to create groups and permissions that would do the following:

  • TEAM_LEADER: (has access to all members folders - i.e. can admin the memebers - but is not root)
  • team_member: Has access only to his/her home directory
  • team_member: Has access only to his/her home directory
  • etc...

If so how? Is it also possible to make sure that the team_members cannot even read the other members directories.

Also as a side-question, is it possible to limit users to ONLY their home directory but still allow them access to useful utils like vi.

Many thanks,
s0

Donboy 07-16-2004 08:44 AM

I saw your last post, but didn't comment, so seeing your post again I will try to offer up some sort of help.

First, you didn't really say how these people are accessing your machine. It sounds like they are logging in at the terminal or via SSH. You also didn't say what kind of files are being stored here. Is this just a file repository and nothing else?? Like documents that would be shared between members of the groups? I'm not trying to be nosey, but if I knew what the objectives were, I may be able to better advise you on another setup you could be doing like setting up an FTP server, perhaps.

Here's one strategy you could use that may help, and I hope this serves all your needs...

You could create a directory called /home/team1. This will be owned by the leader of team1, which we'll say is "John" for now. chown john.team1 /home/team1. Now do a chmod 770 /home/team1 This should give the folder the following permissions: rwxrwx---.

So what does all this mean? Well, because "john" is the owner of the directory, he has full ability to do anything he wants with his directory, which is indicated by the first rwx in the permissions statement. Members of the group "team1" will have rwx permissions also, as indicated by the second set of rwx in the permissions statement.

So now you setup individual users like "billy" and make him a member of the "team1" group so that he has the ability to rwx to the folder. You can setup subsequent folders like "team2" and make them with the same ownership and permission scheme as above. If user "billy" tries to view the "team2" folder, he will be unsuccessful because the permissions on the "team2" folder that apply to him are the last group of permissions I'm showing above, which would be "---" which doesn't allow read, write or execute.

Now the one thing this scenario doesn't cover is the possibility of the "admins" being able to manipulate all the other team folders. So if the user "john" wanted to modify stuff in the "team2" folder, well... I don't really have a solution for that here, so maybe some other person will offer up an alternate suggestion.

statuszero 07-16-2004 02:49 PM

Hi,
Thanks for the reply I think I am getting somewhere, btw sorry should have explained myself a bit better - well it made sense in my head ;)

A number of users would be logging into the server via ssh. They would have their own accounts to do pretty much what they want (within reason). So it might not just be a place to store files but also to do various other things. So this is what I was hoping to achieve, my logic could be flawed but this is my understanding so far.

user - "team_leader", home dir "/home/team_leader"
user - "bob", home dir "/home/bob"
user - "john", home dir "/home/john"

Now bob and john are both part of the same team and team_leader is their team leader :) What I was hoping to achieve is that team_leader would be able to access both bob's and john's home accounts and see all the files within those accounts, but bob and john would only have access to their own home directories (not even be able to see other ppl's files).

Now by talking to other ppl and from what you have said I have come up with the following config...
team_leader would own the "/home/team_leader" directory and the permissions to it would be drwx,---,---..
bob would be in the "bob" group, and so would team_leader. The permissions for /home/bob would be drwx,rwx,---.
john would be in the "john" group, and so would team_leader. The permissions for /home/john wuold be drwx,rwx,---.

Am i right in saything then that team_leader would have access bob and johns home directories, but bob and john would not be able to access each others? The only thing is that if the user sets the permission to a file in their home directory as rw-,---,--- then only they can modify it which is maybe a good thing but being the paranoid guy i am it could potentially be a bad thing.

Hope i've explained it a bit better this time round :) And once again thanks for the reply.

s0

Donboy 07-16-2004 03:22 PM

Quote:

Am i right in saything then that team_leader would have access bob and johns home directories
Yep. Because he is a member of their group and would have rwx ability as indicated by the folder's "group" permissions.

Quote:

but bob and john would not be able to access each others
Yep, because bob is not a member of the "john" group and vise versa. Also, they will not have access to the leader's stuff, becsause they are not a member of the "leader" group (or whatever you call it). You could very well have the leader "Mike" a member of the "Mike" group and nobody else.

Quote:

The only thing is that if the user sets the permission to a file in their home directory as rw-,---,--- then only they can modify it which is maybe a good thing but being the paranoid guy i am it could potentially be a bad thing.
I recommend setting up some test scenarios on your machine. Set everything up like you've described and then play with all of this yourself. Have a couple of your users test it out. You may be surprised to find something you didn't expect. Have a "trial period" to be sure everything is as you planned before going "live" and bringing in a bunch of other users. It sucks having to change gears on people because something happened that you didn't anticipate.

Donboy 07-16-2004 03:37 PM

Also, you may want to consider setting up your system to chroot people in SSH. If you don't they will have the ability to browse all around your machine, which may not be what you want.

I wish I could give you more info on this, but I'm still trying to figure it out myself. If you used an FTP server, you could more easily setup chrooted environments for each user. Running FTP, you don't have to worry about user bob being able to see user john's files, because you already said that wasn't required and the FTP server will seperate them easily.

You could setup FTP for the individual users and they can upload/download/modify stuff in each of their home direcories, and you could give the leader's SSH access and make them members of everyone's group like you said. This way, you cut down on the number of people tooling around your box, and you probably already trust your leaders enough.

Only downside is... your users are sending usernames/passwords in the clear using normal FTP, but I've never had a problem with this. I've got tons of users on cleartext FTP and have never been broken into. I think the concensus must be that because these are unprivlidged users, they don't have the rights to do very much on the system, so why break into thier accounts. THey have nothing worth stealing that a quick restore from backup couldn't fix.

Other users may disagree with me on these points, arguing that SSH is the only way to go, but these are just my views... do whatever you feel is best. After all, it's YOUR box.

statuszero 07-16-2004 04:18 PM

Hi,
Thanks, I think your right I just have to get started and play with it until it does what I want it to do. As long as my current thinking was right then i'm at least half way there. Thanks for the help!!

s0


All times are GMT -5. The time now is 08:57 AM.