Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 11-01-2010, 08:50 AM   #1
Registered: Jan 2005
Distribution: knoppix/debian
Posts: 38
Blog Entries: 2

Rep: Reputation: 11
Need sudo for users but only +r on other /home/users Ubuntu 10.04

We are trying to set up a classroom training environment where our SIG can hold classes for prospective converts from Microsoft/Mac. The ten machines will have /home/student01..10 and /home/linsig01..10 as users. We want /home/student01 to be able to explore and sudo so they can learn to administer their personal machines at home. We don't want them to be able to modify (sudo) /home/linsig01. I've seen the tutorial on Access Control Lists but I'd like other input so we get it right the first time.

The blind leading the blind here.
Old 11-01-2010, 10:17 AM   #2
Registered: Oct 2010
Location: New England, USA
Distribution: OpenSUSE/Slackware64/RHEL/Mythbuntu
Posts: 189

Rep: Reputation: 39
Create a set of groups for your users. It could be as simple as two groups or as complex as each user in his/her own group. If studen01 is in group01 all members of that group can access the directorys. If linsig01 is in group linsig01, and student01 is not in that group, then student01 cannot access that group's directories.

to set permissions on files or directories use.
Here you see I have each student in a student group, and each linsig in a linsig group.

#ls -l /home
drwxr-xr-x  2 linsig01   linsig   4096 2010-11-01 11:11 linsig01
drwxr-xr-x  2 linsig02   linsig   4096 2010-11-01 11:11 linsig02
drwxr-xr-x  2 linsig03   linsig   4096 2010-11-01 11:11 linsig03
drwxr-xr-x  2 student01  student  4096 2010-11-01 11:11 student01
drwxr-xr-x  2 student02  student  4096 2010-11-01 11:11 student02
drwxr-xr-x  2 student03  student  4096 2010-11-01 11:11 student03

For more info on sudo, I suggest reading the man page for sudoers. You can control permissions to users or groups that way, and fine tune what can or cannot be done.

I used ACLs on a university file system, AFS, but that was particular to that file system. It can get as complex as you make it, but it doesn't need to be too complex.

A tutorial:

Last edited by udaman; 11-01-2010 at 10:24 AM. Reason: typo
Old 11-02-2010, 06:13 AM   #3
Registered: May 2010
Posts: 36

Rep: Reputation: 3
If you're going to give them sudo privs they can become "root" on the local machine and then overrule any "groups" privileges that you may set up. So I don't think the above suggestion will work.

What you can do is to create two directories on a server. /home/students and /home/linsigs , then you export the two directories. The home students one with "no_root_squash" option, so that the students have root privileges on them.

However, having root on the clients will make it very difficult to prevent the students from being able to hack root on the sever and/or modify files in /home/linsigs.

I suggest you make it a competition. If they find a (new) way to subvert security they should tell you and earn a "point". That way the hacking will be in the open, and not pose much of a problem. And they will be involved in security issues and learn something along the way.
Old 11-07-2010, 07:22 PM   #4
Registered: Jan 2005
Distribution: knoppix/debian
Posts: 38

Original Poster
Blog Entries: 2

Rep: Reputation: 11

We've decided to dual boot two copies of Ubuntu 10.04.1. We'll set up the students with ro on the mount point for the SIG (Special Interest Group) drive and hope they won't know enough to change read only permission to rw. There doesn't seem to be a better way suggested anywhere.
Thanks to all for the suggestions.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Ubuntu One taking care of Windows users ... not so much users of other Linux distributions LXer Syndicated Linux News 0 08-26-2010 09:30 PM
Reduce privilages sudo users jnreddy Linux - Server 3 08-01-2010 11:12 PM
[SOLVED] Listing sudo users dilipvp Programming 6 05-21-2010 09:50 AM
Sudo password for users, a.k.a. sudoers Micro420 SUSE / openSUSE 2 04-21-2006 09:23 PM
accessing of directory using sudo users abhis_mail2002 Fedora 3 02-22-2006 03:34 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:58 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration