[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: group permissions (was chroot ssh and ftp)

Dear Chris,

When you pointed out there would be no serious benefit by chrooting
the users, I decided to hold this configuration for a while. To
isolate the system will take some time, and some bureaucratics :)

Now, for the permissions stated before, I got this until now:

Professors belong to two groups, professors and students
Students belong only to alumini
Admins belong to all

Then I run in professors /home/dirs the following command:
chown -R :professors paul peter patrick
chmod -R 700 paul peter patrick
No need to SGID bit because their default group is professors.

To students /home/dirs I did:
chown -R :students sam simon sony
chmod -R 770 sam simon sony
chmod g+s sam simon sony

Also, I edited /etc/pam.d/common-session and added
session optional pam_umask.so umask=007
This way, new files would be created by default with rwxrwx---
And SGID will make them belong to students.

The problem regarding people changing groups or permissions in the
files is (very) poorly addressed with this script I made, to run as a
cronjob twice a day:

#----------------------------- begin
cd /home
THEUSERS=$(ls -1)
#echo Cleaning the following users: $THEUSERS

for USU in $THEUSERS; do
        #Its not staff
        if [ "$USU" != "alf" -a "$USU" != "art" -a "$USU" != "abbie" ]; then
                #echo found $USU, not admin
                #Is (s)he a student?
                if groups $USU | grep -q alumini; then
                        #echo Cleaning $USU, student.
                        chown -R $USU:student $USU
                        chmod -R u+rw,g+rw,o-rwx $USU
                        #echo Cleaning $USU, professor.
                        chown -R $USU:professor $USU
                        chmod -R u+rw,g-rwx,o-rwx $USU
#----------------------------- end

I believe chwon and chmod for students will quickly see no changes
need and exit for each file in the recursion. Thats ok.
The problem is that professor files start with 770 and they are always
changed by the script to 700.

Also, it would be better to run recursively inside each dir and check
if the file really need a change, would it not?

(*) Do you guys have any better idea to the script?
(**) Is it possible to use professors default as 700 and students as
770? (And without the need of ACL, or if ACL is needed, can someone
share some light on the subject)?

Thanks for your attention,

Dr. Beco
A.I. research, Cognitive Scientist and Philosopher
Linux Counter #201942

Reply to: