Granting full read/write permissions to all files for a specific user
Hello,
I have a couple of admins who I would like to give full read/write privileges to all files. I tried adding their user to the root group, but that didn't work. What is the best way to accomplish this? Yes, I fully understand the security ramifications, but I would like to proceed anyway. If anyone knows of a way to give them full permissions to only /home/*, that would be even better. Thanks! |
Hi laserjim,
" I have a couple of admins who I would like to give full read/write privileges to *all* files." Well, one of the ways of doing this would be making the user root by giving him a UID of '0', but that will mean making the user a root. There could be other ways but this is the one that seems more managable and easier. hope this helps. |
Wouldn't it be easier if you just put them in the sudoers file so they could do a sudo su - to start a root session when they needed root access?
The "security advantage" of this is that they don't have access to the root password (although they could, of course, change it) but when you plan to fire them you could revoke their sudo access before "talking" to them. You could somewhat enhance this model by installing SELinux and setting policies that would prevent even "root" from changing "root's" password, but, hey, if these are administrators, you've got to trust them since they presumably have physical access to the system. So they could bypass any software security (except an encrypted file system that's not automatically mounted during a boot) by booting from a "rescue" DVD. Note that this "sudo for root privileges" scheme is part of the Ubuntu "security" model. |
Create a group called "Admins", add yourself and everyone you want to be an admin to that group, and then make that group the owning group of /home/* with:
Code:
chgrp -R Admins /home |
dudeman41465, that would seem to be a much better solution that the one I proposed. I'm somewhat embarrassed because I did not read laserjim's OP as well as I should, and failed to note that the administrators with whom he was concerned were user administrators, not system ones. :confused:
|
All very good ideas, thank you everyone.
I am very appreciative of all your feedback. Here are my thoughts:
All in all, any of the above solutions could work, but none of them is perfect. |
Quote:
Is that necessarily true? Quote:
Quote:
Quote:
Quote:
|
Quote:
I'm not saying I have the answer, I don't. I am very thankful for everyone who has contributed, I'm still trying to figure out which alternative is best. It isn't clear to me yet. Thanks All! |
Quote:
You could also write up a script using the find command that would walk /home and find any "naughty" files, flaging errant users in the process. Thus alleritng the "user administrators" of users needing attention. |
Quote:
It would be very bad to have a script going around changing the permissions and group ownership. Ideally, users would have full control over such things. That's why I'm not jumping for joy at the idea of an admins group. It is, however, worth considering. |
O.K., let's combine the two concepts:
1) Make the "administrators" members of all the groups to which the administrated users have access. Then the "administrators" can read anything any of the files any administrated user can read, which should suffice for most administrative tasks. 2) Put the "administrators" in the sudoers file with, perhaps, restricted command access. (I'm not sure about that part since I always give myself "ALL (ALL)" and I've not looked at other possibilities.) Anyhow, when they need to alter files in some user's directory, they can do a sudo su <user login> to log in to the user's account (without needing to know the user's password), and act on the user's behalf. |
All times are GMT -5. The time now is 01:10 PM. |