Granting full read/write permissions to all files for a specific user
 

Hello,

I have a couple of admins who I would like to give full read/write privileges to all files. I tried adding their user to the root group, but that didn't work. What is the best way to accomplish this?

Yes, I fully understand the security ramifications, but I would like to proceed anyway. If anyone knows of a way to give them full permissions to only /home/*, that would be even better.

Thanks!

Hi laserjim,

" I have a couple of admins who I would like to give full read/write privileges to *all* files." Well, one of the ways of doing this would be making the user root by giving him a UID of '0', but that will mean making the user a root.

There could be other ways but this is the one that seems more managable and easier.

hope this helps.

Wouldn't it be easier if you just put them in the sudoers file so they could do a sudo su - to start a root session when they needed root access?

The "security advantage" of this is that they don't have access to the root password (although they could, of course, change it) but when you plan to fire them you could revoke their sudo access before "talking" to them. You could somewhat enhance this model by installing SELinux and setting policies that would prevent even "root" from changing "root's" password, but, hey, if these are administrators, you've got to trust them since they presumably have physical access to the system. So they could bypass any software security (except an encrypted file system that's not automatically mounted during a boot) by booting from a "rescue" DVD.

Note that this "sudo for root privileges" scheme is part of the Ubuntu "security" model.

Create a group called "Admins", add yourself and everyone you want to be an admin to that group, and then make that group the owning group of /home/* with:
Then when they leave, just remove them from the group. My two cents.

dudeman41465, that would seem to be a much better solution that the one I proposed. I'm somewhat embarrassed because I did not read laserjim's OP as well as I should, and failed to note that the administrators with whom he was concerned were user administrators, not system ones. :confused:

All very good ideas, thank you everyone.

I am very appreciative of all your feedback. Here are my thoughts:

1. I like the idea of setting the user id to zero, but this unnecessarily grants execute permissions. It would be better if admins couldn't accidentally execute stuff. Also seems a bit clunky.
2. The only problem with allowing them to sudo is that they may FTP in, in which case, sudo would be inaccessible.
3. Group permissions seems like the clear and obvious solution, but users may change the group and/or group permissions for their files. Group permissions allow users to share files amongst themselves, so it would be better not to force a specific group.
4. I found these awesome commands getfacl and setfacl. They seem good except that the permissions mask always equals the group permissions. I don't know of a good way to get around this.

All in all, any of the above solutions could work, but none of them is perfect.

Well, I think that adding the adminstrators to all the groups to which any managed person is a member would make the "group" solution work.

... except if the users only give read permissions to the members of their group.

I'm not saying I have the answer, I don't. I am very thankful for everyone who has contributed, I'm still trying to figure out which alternative is best. It isn't clear to me yet.

Thanks All!

So? The "user administrators" could do a sudo chmod -R g+rwx /path/to/errant/user or you could write a script to do that, saving the permissions the errant user had set, and re-setting it when the "admin" is done. In fact, to be safe, you might need to have such a script since an errant user could remove all group permissions from a file or directory.

You could also write up a script using the find command that would walk /home and find any "naughty" files, flaging errant users in the process. Thus alleritng the "user administrators" of users needing attention.

They wouldn't be errant users, they would simply be users who are maintaining good security practices by setting the proper permissions (read only) when sharing files amongst themselves.

It would be very bad to have a script going around changing the permissions and group ownership. Ideally, users would have full control over such things. That's why I'm not jumping for joy at the idea of an admins group. It is, however, worth considering.

O.K., let's combine the two concepts:

1) Make the "administrators" members of all the groups to which the administrated users have access. Then the "administrators" can read anything any of the files any administrated user can read, which should suffice for most administrative tasks.

2) Put the "administrators" in the sudoers file with, perhaps, restricted command access. (I'm not sure about that part since I always give myself "ALL (ALL)" and I've not looked at other possibilities.)

Anyhow, when they need to alter files in some user's directory, they can do a sudo su <user login> to log in to the user's account (without needing to know the user's password), and act on the user's behalf.