On Sat, 2004-06-26 at 12:18, Stephen Touset wrote:
> On Sat, 2004-06-26 at 11:52, John Summerfield wrote:
> > Who owns the directory etc this creates? Who is the cp command being
> > run as?
> >
> > Are the sudo and maildirmake in the right order?
>
> The problem was with permissions. However, I'm going through hell right
> now trying to set up a sudoers file that will allow users to create
> their own home directories. The key problem is creating it with *their*
> permissions. If I can just be able to create a directory with specified
> permissions, *without* having the utility change the permissions on an
> already made directory, I'll be happy.
>
> Problems so far:
>
> /bin/install -o user does the trick, but if you call it on a directory
> that already exists, it has its owner changed to user.
>
> /bin/mkdir has no way of specifying the owner, and I'm NOT going to
> allow every user to do a `sudo chown` for obvious reasons.
I believe I found a solution. I created a file /usr/bin/create_home, and
allowed it to be executed via sudo. Its contents are printed below.
stouset@hermes:~$ cat /usr/bin/create_home
> #!/bin/dash
>
> su - $1 -c exit
I believe this to be the optimal solution for several reasons:
* No messy /etc/sudoers with possible security leaks
* Not allowing users access to dangerous utilities such as
chown, install, chgrp, etc.
* Uses already existing PAM infrastructure, so if home directory
structure, pam_mkhomedir, etc is changed, it doesn't have to
be done in the script as well.
If anyone sees a problem with this solution, let me know.
--
Stephen Touset <stephen@touset.org>
Attachment:
signature.asc
Description: This is a digitally signed message part