Granting some root permissions to certain users

Granting some root permissions to certain users

[A. op de Weegh]

Hi all,
At our school, we have a installed Fedora Core 1 on a machine which acts as a 
server. Our students may store reports and other products, that they have 
created for their lessons, on this machine. Also the teachers have an 
account.
 
I would like the teachers to have list access on ALL directories. Just as the 
root user has. I wouldn't like the teachers to have all root permissions, but 
they should only be able to list ALL directories available. Viewing only, no 
writing.
 
Any idea how I can achieve this?
 
Thanx,
Alex

Re: Granting some root permissions to certain users

[Matti Aarnio]

On Tue, May 25, 2004 at 06:50:01PM +0200, A. op de Weegh wrote:
> Hi all,
> At our school, we have a installed Fedora Core 1 on a machine which acts as a 
> server. Our students may store reports and other products, that they have 
> created for their lessons, on this machine. Also the teachers have an 
> account.
>  
> I would like the teachers to have list access on ALL directories. Just as the 
> root user has. I wouldn't like the teachers to have all root permissions, but 
> they should only be able to list ALL directories available. Viewing only, no 
> writing.

That is usually done by means of supplementary groups.

And then somehow enforcing users to have their file/directory permissions
to include group X for directories, and group R for everything.

This means also, that users are allocated just a few groups, not
a group for each user (like FC1 does by default)

> Any idea how I can achieve this?
>  
> Thanx,
> Alex

/Matti Aarnio

Re: Granting some root permissions to certain users

[Richard B. Johnson]

On Tue, 25 May 2004, A. op de Weegh wrote:

> Hi all,
> At our school, we have a installed Fedora Core 1 on a machine which acts as a
> server. Our students may store reports and other products, that they have
> created for their lessons, on this machine. Also the teachers have an
> account.
>
> I would like the teachers to have list access on ALL directories. Just as the
> root user has. I wouldn't like the teachers to have all root permissions, but
> they should only be able to list ALL directories available. Viewing only, no
> writing.
>
> Any idea how I can achieve this?
>
> Thanx,
> Alex

http://unixhelp.ed.ac.uk/

Cheers,
Dick Johnson
Penguin : Linux version 2.4.26 on an i686 machine (5570.56 BogoMips).
            Note 96.31% of all statistics are fiction.

Re: Granting some root permissions to certain users

[Jeffrey E. Hundstad]

A. o de Weegh,

We use a kernel patch called trustees to do just what you're talking 
about.  Unfortunately the patch hasn't really been kept up-to-date.  I 
wish something *like* this could be included in the standard kernel, but 
I guess I understand why it's not also.

Here's a link to trustees: http://trustees.sourceforge.net/

You could also use ACLs to give your teachers permissions, but that 
tends to take a lot of work imho, but it's what were looking at to 
replace trustees when I can no longer get it to patch into kernels.

Here's a link to Linux ACL: http://acl.bestbits.at/

-- 
jeffrey hundstad


A. op de Weegh wrote:

>Hi all,
>At our school, we have a installed Fedora Core 1 on a machine which acts as a 
>server. Our students may store reports and other products, that they have 
>created for their lessons, on this machine. Also the teachers have an 
>account.
> 
>I would like the teachers to have list access on ALL directories. Just as the 
>root user has. I wouldn't like the teachers to have all root permissions, but 
>they should only be able to list ALL directories available. Viewing only, no 
>writing.
> 
>Any idea how I can achieve this?
> 
>Thanx,
>Alex
>
>-
>To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>the body of a message to majordomo@vger.kernel.org
>More majordomo info at  http://vger.kernel.org/majordomo-info.html
>Please read the FAQ at  http://www.tux.org/lkml/
>  
>

Re: Granting some root permissions to certain users

[Pavel Machek]

Hi!

> At our school, we have a installed Fedora Core 1 on a machine which acts as a 
> server. Our students may store reports and other products, that they have 
> created for their lessons, on this machine. Also the teachers have an 
> account.
>  
> I would like the teachers to have list access on ALL directories. Just as the 
> root user has. I wouldn't like the teachers to have all root permissions, but 
> they should only be able to list ALL directories available. Viewing only, no 
> writing.
>  
> Any idea how I can achieve this?

Create setuid ls with permissions rwxr-x--- root.teachers.

Teachers may be able to get root if they are real good hackers (and exploit
some bug in ls), but
they certainly not break anything by mistake.
				Pavel
-- 
64 bytes from 195.113.31.123: icmp_seq=28 ttl=51 time=448769.1 ms         

Re: Granting some root permissions to certain users

[Henry Yen]

On Tue, May 25, 2004 at 06:50:01PM +0200, A. op de Weegh wrote:
> At our school, we have a installed Fedora Core 1 on a machine which acts as a 
> server. Our students may store reports and other products, that they have 
> created for their lessons, on this machine. Also the teachers have an 
> account.
>  
> I would like the teachers to have list access on ALL directories. Just as the 
> root user has. I wouldn't like the teachers to have all root permissions, but 
> they should only be able to list ALL directories available. Viewing only, no 
> writing.
>  
> Any idea how I can achieve this?

It sounds like the students are working on machines that are _not_ the
machine that stores their "reports and other products".  If so, what
machines are the students using, and what mechanism is employed to
allow the students to store to that separate server machine?  Depending
on your answer, a good solution might be more obvious.

However, for a general solution that could work even in same-machine setups,
(I suspect this might work differently on different kernels/distributions)
you could try mounting the subtree containing this "read-all" piece as
an NFS mount, by specifying "ro,all_squash,anonuid=0" as the options.
Make the local mount-point "hidden" (underneath another directory only
accessible to the teachers).  Note that this gives you read-only access
to also read files, not just list directories.
  
For example, in /etc/exports, you'd have:
/students teacher(ro,all_squash,anonuid=0)
/students localhost(ro,all_squash,anonuid=0)

On the "teacher" machine, you could have /hidden as a directory,
mode 750, group "teachers", with a subdirectory called "mnt".
Then "mount studentserver:/students /hidden/mnt".  Anyone in the
"teachers" group on the "teacher" machine could read-access anything
in the /students tree via /hidden/mnt/*.

Perhaps there are some security issues with NFS on a local-machine-only
setup, though.
-- 
Henry Yen <henry@panix.com>
netcom shell refugee '94.  henry@netcom.com,henryyen@netcom.com
Hicksville, New York