[Techtalk] Group Permission Security Question
Kai MacTane
kmactane at GothPunk.com
Sat Oct 18 02:22:25 EST 2003
At 10/18/03 01:16 AM , TechChiq wrote:
>I want to set up so that my main account on my linux box (the one I do
>all my normal work in) can also access some files that have group set to
>"root" (like when files were transferred from another drive I don't know
>how the group didn't get set to write). I keep having to make superuser
>windows or terms for stuff. Is it bad security to set a certain user's
>group mode to "root"?
Just to make things easy, I'll assume your account name is "techchiq".
It'll keep me from having to type "your usual account" over and over again.
What I'd do is, instead of making techchiq's group be "root", just add
techchiq to the root group. In /etc/group, on the first line, it should
already say:
root::0:root
Append ",techchiq" to it to make:
root::0:root,techchiq
This way, user techchiq is a member of the root group *as well as* her own,
and can modify any group-writable files that are group-owned by root.
(The techchiq user will have to log out and log back in again for these
permissions to take effect on her account.)
>Also, I have a couple folks that may use my machine so I want to make
>accounts for them too. One would be my boyfriend, who knows little about
>computers (he's learning :) so I would like to set up something where he
>can't blitz nothing. Of course I wouldn't set him to root group! LOL!
Just giving him a normal user account, user "boyfriend", group "boyfriend"
(or a member of group "users" if you're using one of the distros that
doesn't give every user their own individual group) should make it so the
only things he can blitz are his own files. Yes, he'll have the ability to
completely FUBAR or even delete his own home directory, but nothing else.
>Then there's another friend of mine who we all call "The Wizard" (what
>his wife nicknamed him). I would like him to have his own account (not
>root) and have superuser priveledges to do what he needs to in case he
>needs to fix something or show me how to fix things. How would I set up
>his account?
The really secure way would be to set up sudo and configure it so he can do
certain things (with root privileges) but not others. However, sudo is a
royal PITA to configure.
You could just give him the root password and trust him.
Alternatively, if you don't trust him that much, you could have him come
over to show you stuff. Log in a root session yourself, then sit him down
at the keyboard. This allows him to do things with root privileges without
giving him the root password.
Of course, if you think you might need him to long in remotely and rescue
you from some mistake, that might not be sufficient. It all depends on just
how much you trust him, and how much power you want to give him. Others may
well be able to suggest better options, or walk you through a sudo
configuration.
--Kai MacTane
----------------------------------------------------------------------
"I am the storm. My voice is the river.
Take from me, I fade into you..."
--The Last Dance,
"Fairytale (the Storm)"
More information about the Techtalk
mailing list