LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-27-2009, 12:24 PM   #1
laserjim
LQ Newbie
 
Registered: Nov 2007
Distribution: Suse Linux 10.3 (among others)
Posts: 8

Rep: Reputation: 0
Exclamation Granting full read/write permissions to all files for a specific user


Hello,

I have a couple of admins who I would like to give full read/write privileges to all files. I tried adding their user to the root group, but that didn't work. What is the best way to accomplish this?

Yes, I fully understand the security ramifications, but I would like to proceed anyway. If anyone knows of a way to give them full permissions to only /home/*, that would be even better.

Thanks!

Last edited by laserjim; 01-27-2009 at 12:26 PM.
 
Old 01-27-2009, 01:14 PM   #2
honeybadger
Member
 
Registered: Aug 2007
Location: India
Distribution: Slackware (mainly) and then a lot of others...
Posts: 847

Rep: Reputation: Disabled
Hi laserjim,

" I have a couple of admins who I would like to give full read/write privileges to *all* files." Well, one of the ways of doing this would be making the user root by giving him a UID of '0', but that will mean making the user a root.

There could be other ways but this is the one that seems more managable and easier.

hope this helps.
 
Old 01-27-2009, 09:31 PM   #3
PTrenholme
Senior Member
 
Registered: Dec 2004
Location: Olympia, WA, USA
Distribution: Fedora, (K)Ubuntu
Posts: 4,153

Rep: Reputation: 331Reputation: 331Reputation: 331Reputation: 331
Wouldn't it be easier if you just put them in the sudoers file so they could do a sudo su - to start a root session when they needed root access?

The "security advantage" of this is that they don't have access to the root password (although they could, of course, change it) but when you plan to fire them you could revoke their sudo access before "talking" to them. You could somewhat enhance this model by installing SELinux and setting policies that would prevent even "root" from changing "root's" password, but, hey, if these are administrators, you've got to trust them since they presumably have physical access to the system. So they could bypass any software security (except an encrypted file system that's not automatically mounted during a boot) by booting from a "rescue" DVD.

Note that this "sudo for root privileges" scheme is part of the Ubuntu "security" model.
 
Old 01-28-2009, 12:41 PM   #4
dudeman41465
Member
 
Registered: Jun 2005
Location: Kentucky
Distribution: Ubuntu
Posts: 794

Rep: Reputation: 56
Create a group called "Admins", add yourself and everyone you want to be an admin to that group, and then make that group the owning group of /home/* with:
Code:
chgrp -R Admins /home
chmod -R ug+rwx /home
Then when they leave, just remove them from the group. My two cents.

Last edited by dudeman41465; 01-28-2009 at 12:45 PM. Reason: Changed chmod command cause I wasn't sure on the numerical syntax
 
Old 01-28-2009, 03:42 PM   #5
PTrenholme
Senior Member
 
Registered: Dec 2004
Location: Olympia, WA, USA
Distribution: Fedora, (K)Ubuntu
Posts: 4,153

Rep: Reputation: 331Reputation: 331Reputation: 331Reputation: 331
dudeman41465, that would seem to be a much better solution that the one I proposed. I'm somewhat embarrassed because I did not read laserjim's OP as well as I should, and failed to note that the administrators with whom he was concerned were user administrators, not system ones.
 
Old 01-29-2009, 06:32 PM   #6
laserjim
LQ Newbie
 
Registered: Nov 2007
Distribution: Suse Linux 10.3 (among others)
Posts: 8

Original Poster
Rep: Reputation: 0
All very good ideas, thank you everyone.

I am very appreciative of all your feedback. Here are my thoughts:
  1. I like the idea of setting the user id to zero, but this unnecessarily grants execute permissions. It would be better if admins couldn't accidentally execute stuff. Also seems a bit clunky.
  2. The only problem with allowing them to sudo is that they may FTP in, in which case, sudo would be inaccessible.
  3. Group permissions seems like the clear and obvious solution, but users may change the group and/or group permissions for their files. Group permissions allow users to share files amongst themselves, so it would be better not to force a specific group.
  4. I found these awesome commands getfacl and setfacl. They seem good except that the permissions mask always equals the group permissions. I don't know of a good way to get around this.

All in all, any of the above solutions could work, but none of them is perfect.
 
Old 01-29-2009, 08:23 PM   #7
PTrenholme
Senior Member
 
Registered: Dec 2004
Location: Olympia, WA, USA
Distribution: Fedora, (K)Ubuntu
Posts: 4,153

Rep: Reputation: 331Reputation: 331Reputation: 331Reputation: 331
Quote:
Originally Posted by laserjim View Post
All very good ideas, thank you everyone.

I am very appreciative of all your feedback. Here are my thoughts:
  1. I like the idea of setting the user id to zero, but this unnecessarily grants execute permissions. It would be better if admins couldn't accidentally execute stuff. Also seems a bit clunky.
  2. The only problem with allowing them to sudo is that they may FTP in, in which case, sudo would be inaccessible.
Is that necessarily true?
Quote:
3. Group permissions seems like the clear and obvious solution, but users may change the group and/or group permissions for their files.
But you could have a cron job revert any such changes.
Quote:
Group permissions allow users to share files amongst themselves, so it would be better not to force a specific group.
True. I've occasionally thought that a group should be able to have other groups as members, but you could make the group thing work by adding the "administrators" to all the groups to which the people being "administrated" are members, including their "individual" groups if they were created with that option.
Quote:
4. I found these awesome commands getfacl and setfacl. They seem good except that the permissions mask always equals the group permissions. I don't know of a good way to get around this.
See my preceding comment.
Quote:
All in all, any of the above solutions could work, but none of them is perfect.
Well, I think that adding the adminstrators to all the groups to which any managed person is a member would make the "group" solution work.
 
Old 01-29-2009, 11:20 PM   #8
laserjim
LQ Newbie
 
Registered: Nov 2007
Distribution: Suse Linux 10.3 (among others)
Posts: 8

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by PTrenholme View Post
Well, I think that adding the adminstrators to all the groups to which any managed person is a member would make the "group" solution work.
... except if the users only give read permissions to the members of their group.

I'm not saying I have the answer, I don't. I am very thankful for everyone who has contributed, I'm still trying to figure out which alternative is best. It isn't clear to me yet.

Thanks All!
 
Old 01-30-2009, 07:49 AM   #9
PTrenholme
Senior Member
 
Registered: Dec 2004
Location: Olympia, WA, USA
Distribution: Fedora, (K)Ubuntu
Posts: 4,153

Rep: Reputation: 331Reputation: 331Reputation: 331Reputation: 331
Quote:
Originally Posted by laserjim View Post
... except if the users only give read permissions to the members of their group.

I'm not saying I have the answer, I don't. I am very thankful for everyone who has contributed, I'm still trying to figure out which alternative is best. It isn't clear to me yet.

Thanks All!
So? The "user administrators" could do a sudo chmod -R g+rwx /path/to/errant/user or you could write a script to do that, saving the permissions the errant user had set, and re-setting it when the "admin" is done. In fact, to be safe, you might need to have such a script since an errant user could remove all group permissions from a file or directory.

You could also write up a script using the find command that would walk /home and find any "naughty" files, flaging errant users in the process. Thus alleritng the "user administrators" of users needing attention.
 
Old 01-30-2009, 11:55 PM   #10
laserjim
LQ Newbie
 
Registered: Nov 2007
Distribution: Suse Linux 10.3 (among others)
Posts: 8

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by PTrenholme View Post
errant users
They wouldn't be errant users, they would simply be users who are maintaining good security practices by setting the proper permissions (read only) when sharing files amongst themselves.

It would be very bad to have a script going around changing the permissions and group ownership. Ideally, users would have full control over such things. That's why I'm not jumping for joy at the idea of an admins group. It is, however, worth considering.
 
Old 01-31-2009, 11:17 AM   #11
PTrenholme
Senior Member
 
Registered: Dec 2004
Location: Olympia, WA, USA
Distribution: Fedora, (K)Ubuntu
Posts: 4,153

Rep: Reputation: 331Reputation: 331Reputation: 331Reputation: 331
O.K., let's combine the two concepts:

1) Make the "administrators" members of all the groups to which the administrated users have access. Then the "administrators" can read anything any of the files any administrated user can read, which should suffice for most administrative tasks.

2) Put the "administrators" in the sudoers file with, perhaps, restricted command access. (I'm not sure about that part since I always give myself "ALL (ALL)" and I've not looked at other possibilities.)

Anyhow, when they need to alter files in some user's directory, they can do a sudo su <user login> to log in to the user's account (without needing to know the user's password), and act on the user's behalf.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
bash - read or write to specific line in text file? babag Programming 11 08-23-2008 01:44 PM
Granting root permissions to a bash script than can be run by a user? SirTristan Linux - Newbie 4 06-14-2008 10:29 PM
Granting limited user a specific restricted cmd privilege itnaa Linux - Security 4 08-26-2007 03:18 PM
Giving user/group permissions to read&write Windows partitions? zaqwe Slackware 3 08-26-2007 11:07 AM
Permissions: giving specific groups write access to a directory kinetik Linux - General 3 07-06-2006 08:30 AM


All times are GMT -5. The time now is 09:46 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration