Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
01-27-2009, 01:24 PM
|
#1
|
LQ Newbie
Registered: Nov 2007
Distribution: Suse Linux 10.3 (among others)
Posts: 8
Rep:
|
Granting full read/write permissions to all files for a specific user
Hello,
I have a couple of admins who I would like to give full read/write privileges to all files. I tried adding their user to the root group, but that didn't work. What is the best way to accomplish this?
Yes, I fully understand the security ramifications, but I would like to proceed anyway. If anyone knows of a way to give them full permissions to only /home/*, that would be even better.
Thanks!
Last edited by laserjim; 01-27-2009 at 01:26 PM.
|
|
|
01-27-2009, 02:14 PM
|
#2
|
Member
Registered: Aug 2007
Location: India
Distribution: Slackware (mainly) and then a lot of others...
Posts: 855
Rep: 
|
Hi laserjim,
" I have a couple of admins who I would like to give full read/write privileges to *all* files." Well, one of the ways of doing this would be making the user root by giving him a UID of '0', but that will mean making the user a root.
There could be other ways but this is the one that seems more managable and easier.
hope this helps.
|
|
|
01-27-2009, 10:31 PM
|
#3
|
Senior Member
Registered: Dec 2004
Location: Olympia, WA, USA
Distribution: Fedora, (K)Ubuntu
Posts: 4,187
|
Wouldn't it be easier if you just put them in the sudoers file so they could do a sudo su - to start a root session when they needed root access?
The "security advantage" of this is that they don't have access to the root password (although they could, of course, change it) but when you plan to fire them you could revoke their sudo access before "talking" to them. You could somewhat enhance this model by installing SELinux and setting policies that would prevent even "root" from changing "root's" password, but, hey, if these are administrators, you've got to trust them since they presumably have physical access to the system. So they could bypass any software security (except an encrypted file system that's not automatically mounted during a boot) by booting from a "rescue" DVD.
Note that this "sudo for root privileges" scheme is part of the Ubuntu "security" model.
|
|
|
01-28-2009, 01:41 PM
|
#4
|
Member
Registered: Jun 2005
Location: Kentucky
Distribution: Debian
Posts: 795
Rep:
|
Create a group called "Admins", add yourself and everyone you want to be an admin to that group, and then make that group the owning group of /home/* with:
Code:
chgrp -R Admins /home
chmod -R ug+rwx /home
Then when they leave, just remove them from the group. My two cents.
Last edited by dudeman41465; 01-28-2009 at 01:45 PM.
Reason: Changed chmod command cause I wasn't sure on the numerical syntax
|
|
|
01-28-2009, 04:42 PM
|
#5
|
Senior Member
Registered: Dec 2004
Location: Olympia, WA, USA
Distribution: Fedora, (K)Ubuntu
Posts: 4,187
|
dudeman41465, that would seem to be a much better solution that the one I proposed. I'm somewhat embarrassed because I did not read laserjim's OP as well as I should, and failed to note that the administrators with whom he was concerned were user administrators, not system ones. 
|
|
|
01-29-2009, 07:32 PM
|
#6
|
LQ Newbie
Registered: Nov 2007
Distribution: Suse Linux 10.3 (among others)
Posts: 8
Original Poster
Rep:
|
All very good ideas, thank you everyone.
I am very appreciative of all your feedback. Here are my thoughts: - I like the idea of setting the user id to zero, but this unnecessarily grants execute permissions. It would be better if admins couldn't accidentally execute stuff. Also seems a bit clunky.
- The only problem with allowing them to sudo is that they may FTP in, in which case, sudo would be inaccessible.
- Group permissions seems like the clear and obvious solution, but users may change the group and/or group permissions for their files. Group permissions allow users to share files amongst themselves, so it would be better not to force a specific group.
- I found these awesome commands getfacl and setfacl. They seem good except that the permissions mask always equals the group permissions. I don't know of a good way to get around this.
All in all, any of the above solutions could work, but none of them is perfect.
|
|
|
01-29-2009, 09:23 PM
|
#7
|
Senior Member
Registered: Dec 2004
Location: Olympia, WA, USA
Distribution: Fedora, (K)Ubuntu
Posts: 4,187
|
Quote:
Originally Posted by laserjim
All very good ideas, thank you everyone.
I am very appreciative of all your feedback. Here are my thoughts: - I like the idea of setting the user id to zero, but this unnecessarily grants execute permissions. It would be better if admins couldn't accidentally execute stuff. Also seems a bit clunky.
- The only problem with allowing them to sudo is that they may FTP in, in which case, sudo would be inaccessible.
|
Is that necessarily true?
Quote:
3. Group permissions seems like the clear and obvious solution, but users may change the group and/or group permissions for their files.
|
But you could have a cron job revert any such changes.
Quote:
Group permissions allow users to share files amongst themselves, so it would be better not to force a specific group.
|
True. I've occasionally thought that a group should be able to have other groups as members, but you could make the group thing work by adding the "administrators" to all the groups to which the people being "administrated" are members, including their "individual" groups if they were created with that option.
Quote:
4. I found these awesome commands getfacl and setfacl. They seem good except that the permissions mask always equals the group permissions. I don't know of a good way to get around this.
|
See my preceding comment.
Quote:
All in all, any of the above solutions could work, but none of them is perfect.
|
Well, I think that adding the adminstrators to all the groups to which any managed person is a member would make the "group" solution work.
|
|
|
01-30-2009, 12:20 AM
|
#8
|
LQ Newbie
Registered: Nov 2007
Distribution: Suse Linux 10.3 (among others)
Posts: 8
Original Poster
Rep:
|
Quote:
Originally Posted by PTrenholme
Well, I think that adding the adminstrators to all the groups to which any managed person is a member would make the "group" solution work.
|
... except if the users only give read permissions to the members of their group.
I'm not saying I have the answer, I don't. I am very thankful for everyone who has contributed, I'm still trying to figure out which alternative is best. It isn't clear to me yet.
Thanks All!
|
|
|
01-30-2009, 08:49 AM
|
#9
|
Senior Member
Registered: Dec 2004
Location: Olympia, WA, USA
Distribution: Fedora, (K)Ubuntu
Posts: 4,187
|
Quote:
Originally Posted by laserjim
... except if the users only give read permissions to the members of their group.
I'm not saying I have the answer, I don't. I am very thankful for everyone who has contributed, I'm still trying to figure out which alternative is best. It isn't clear to me yet.
Thanks All!
|
So? The "user administrators" could do a sudo chmod -R g+rwx /path/to/errant/user or you could write a script to do that, saving the permissions the errant user had set, and re-setting it when the "admin" is done. In fact, to be safe, you might need to have such a script since an errant user could remove all group permissions from a file or directory.
You could also write up a script using the find command that would walk /home and find any "naughty" files, flaging errant users in the process. Thus alleritng the "user administrators" of users needing attention.
|
|
|
01-31-2009, 12:55 AM
|
#10
|
LQ Newbie
Registered: Nov 2007
Distribution: Suse Linux 10.3 (among others)
Posts: 8
Original Poster
Rep:
|
Quote:
Originally Posted by PTrenholme
errant users
|
They wouldn't be errant users, they would simply be users who are maintaining good security practices by setting the proper permissions (read only) when sharing files amongst themselves.
It would be very bad to have a script going around changing the permissions and group ownership. Ideally, users would have full control over such things. That's why I'm not jumping for joy at the idea of an admins group. It is, however, worth considering.
|
|
|
01-31-2009, 12:17 PM
|
#11
|
Senior Member
Registered: Dec 2004
Location: Olympia, WA, USA
Distribution: Fedora, (K)Ubuntu
Posts: 4,187
|
O.K., let's combine the two concepts:
1) Make the "administrators" members of all the groups to which the administrated users have access. Then the "administrators" can read anything any of the files any administrated user can read, which should suffice for most administrative tasks.
2) Put the "administrators" in the sudoers file with, perhaps, restricted command access. (I'm not sure about that part since I always give myself "ALL (ALL)" and I've not looked at other possibilities.)
Anyhow, when they need to alter files in some user's directory, they can do a sudo su <user login> to log in to the user's account (without needing to know the user's password), and act on the user's behalf.
|
|
|
All times are GMT -5. The time now is 06:24 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|