Re: Granting some root permissions to certain users

From: Henry Yen
Date: Wed Jun 09 2004 - 23:39:38 EST

Next message: Robert T. Johnson: "Re: Finding user/kernel pointer bugs [no html]"
Previous message: j.random.programmer: "Threading behavior in 2.6.5 may be broken ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, May 25, 2004 at 06:50:01PM +0200, A. op de Weegh wrote:
> At our school, we have a installed Fedora Core 1 on a machine which acts as a
> server. Our students may store reports and other products, that they have
> created for their lessons, on this machine. Also the teachers have an
> account.
>
> I would like the teachers to have list access on ALL directories. Just as the
> root user has. I wouldn't like the teachers to have all root permissions, but
> they should only be able to list ALL directories available. Viewing only, no
> writing.
>
> Any idea how I can achieve this?

It sounds like the students are working on machines that are _not_ the
machine that stores their "reports and other products". If so, what
machines are the students using, and what mechanism is employed to
allow the students to store to that separate server machine? Depending
on your answer, a good solution might be more obvious.

However, for a general solution that could work even in same-machine setups,
(I suspect this might work differently on different kernels/distributions)
you could try mounting the subtree containing this "read-all" piece as
an NFS mount, by specifying "ro,all_squash,anonuid=0" as the options.
Make the local mount-point "hidden" (underneath another directory only
accessible to the teachers). Note that this gives you read-only access
to also read files, not just list directories.

For example, in /etc/exports, you'd have:
/students teacher(ro,all_squash,anonuid=0)
/students localhost(ro,all_squash,anonuid=0)

On the "teacher" machine, you could have /hidden as a directory,
mode 750, group "teachers", with a subdirectory called "mnt".
Then "mount studentserver:/students /hidden/mnt". Anyone in the
"teachers" group on the "teacher" machine could read-access anything
in the /students tree via /hidden/mnt/*.

Perhaps there are some security issues with NFS on a local-machine-only
setup, though.
--
Henry Yen <henry@xxxxxxxxx>
netcom shell refugee '94. henry@xxxxxxxxxx,henryyen@xxxxxxxxxx
Hicksville, New York
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Robert T. Johnson: "Re: Finding user/kernel pointer bugs [no html]"
Previous message: j.random.programmer: "Threading behavior in 2.6.5 may be broken ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]