[SOLVED] Need sudo for users but only +r on other /home/users Ubuntu 10.04

sundry_50 · 11-01-2010, 08:50 AM

We are trying to set up a classroom training environment where our SIG can hold classes for prospective converts from Microsoft/Mac. The ten machines will have /home/student01..10 and /home/linsig01..10 as users. We want /home/student01 to be able to explore and sudo so they can learn to administer their personal machines at home. We don't want them to be able to modify (sudo) /home/linsig01. I've seen the tutorial on Access Control Lists but I'd like other input so we get it right the first time.

The blind leading the blind here.

udaman · 11-01-2010, 10:17 AM

Create a set of groups for your users. It could be as simple as two groups or as complex as each user in his/her own group. If studen01 is in group01 all members of that group can access the directorys. If linsig01 is in group linsig01, and student01 is not in that group, then student01 cannot access that group's directories.

to set permissions on files or directories use.

Code:

 #chmod

Here you see I have each student in a student group, and each linsig in a linsig group.

Code:

#ls -l /home
drwxr-xr-x  2 linsig01   linsig   4096 2010-11-01 11:11 linsig01
drwxr-xr-x  2 linsig02   linsig   4096 2010-11-01 11:11 linsig02
drwxr-xr-x  2 linsig03   linsig   4096 2010-11-01 11:11 linsig03
drwxr-xr-x  2 student01  student  4096 2010-11-01 11:11 student01
drwxr-xr-x  2 student02  student  4096 2010-11-01 11:11 student02
drwxr-xr-x  2 student03  student  4096 2010-11-01 11:11 student03

For more info on sudo, I suggest reading the man page for sudoers. You can control permissions to users or groups that way, and fine tune what can or cannot be done.

I used ACLs on a university file system, AFS, but that was particular to that file system. It can get as complex as you make it, but it doesn't need to be too complex.

A tutorial: http://www.tuxfiles.org/linuxhelp/filepermissions.html

rew · 11-02-2010, 06:13 AM

If you're going to give them sudo privs they can become "root" on the local machine and then overrule any "groups" privileges that you may set up. So I don't think the above suggestion will work.

What you can do is to create two directories on a server. /home/students and /home/linsigs , then you export the two directories. The home students one with "no_root_squash" option, so that the students have root privileges on them.

However, having root on the clients will make it very difficult to prevent the students from being able to hack root on the sever and/or modify files in /home/linsigs.

I suggest you make it a competition. If they find a (new) way to subvert security they should tell you and earn a "point". That way the hacking will be in the open, and not pose much of a problem. And they will be involved in security issues and learn something along the way.

sundry_50 · 11-07-2010, 07:22 PM

We've decided to dual boot two copies of Ubuntu 10.04.1. We'll set up the students with ro on the mount point for the SIG (Special Interest Group) drive and hope they won't know enough to change read only permission to rw. There doesn't seem to be a better way suggested anywhere.
Thanks to all for the suggestions.