From: Henry Yen <henry@panix.com>
To: "A. op de Weegh" <aopdeweegh@rockopnh.nl>
Cc: linux-kernel@vger.kernel.org
Subject: Re: Granting some root permissions to certain users
Date: Thu, 10 Jun 2004 00:38:19 -0400 [thread overview]
Message-ID: <20040610043818.GA3708@panix.com> (raw)
In-Reply-To: <jbm.20040525185001.f766d1ea@TOSHIBA>
On Tue, May 25, 2004 at 06:50:01PM +0200, A. op de Weegh wrote:
> At our school, we have a installed Fedora Core 1 on a machine which acts as a
> server. Our students may store reports and other products, that they have
> created for their lessons, on this machine. Also the teachers have an
> account.
>
> I would like the teachers to have list access on ALL directories. Just as the
> root user has. I wouldn't like the teachers to have all root permissions, but
> they should only be able to list ALL directories available. Viewing only, no
> writing.
>
> Any idea how I can achieve this?
It sounds like the students are working on machines that are _not_ the
machine that stores their "reports and other products". If so, what
machines are the students using, and what mechanism is employed to
allow the students to store to that separate server machine? Depending
on your answer, a good solution might be more obvious.
However, for a general solution that could work even in same-machine setups,
(I suspect this might work differently on different kernels/distributions)
you could try mounting the subtree containing this "read-all" piece as
an NFS mount, by specifying "ro,all_squash,anonuid=0" as the options.
Make the local mount-point "hidden" (underneath another directory only
accessible to the teachers). Note that this gives you read-only access
to also read files, not just list directories.
For example, in /etc/exports, you'd have:
/students teacher(ro,all_squash,anonuid=0)
/students localhost(ro,all_squash,anonuid=0)
On the "teacher" machine, you could have /hidden as a directory,
mode 750, group "teachers", with a subdirectory called "mnt".
Then "mount studentserver:/students /hidden/mnt". Anyone in the
"teachers" group on the "teacher" machine could read-access anything
in the /students tree via /hidden/mnt/*.
Perhaps there are some security issues with NFS on a local-machine-only
setup, though.
--
Henry Yen <henry@panix.com>
netcom shell refugee '94. henry@netcom.com,henryyen@netcom.com
Hicksville, New York
prev parent reply other threads:[~2004-06-10 4:38 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-05-25 16:50 Granting some root permissions to certain users A. op de Weegh
2004-05-25 16:56 ` Matti Aarnio
2004-05-25 16:59 ` Richard B. Johnson
2004-05-25 17:07 ` Jeffrey E. Hundstad
2004-05-27 18:57 ` Pavel Machek
2004-06-10 4:38 ` Henry Yen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040610043818.GA3708@panix.com \
--to=henry@panix.com \
--cc=aopdeweegh@rockopnh.nl \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox