[Techtalk] Group Permission Security Question

Kai MacTane kmactane at GothPunk.com
Sat Oct 18 02:22:25 EST 2003 

At 10/18/03 01:16 AM , TechChiq wrote:
>I want to set up so that my main account on my linux box (the one I do
>all my normal work in) can also access some files that have group set to
>"root" (like when files were transferred from another drive I don't know
>how the group didn't get set to write). I keep having to make superuser
>windows or terms for stuff. Is it bad security to set a certain user's
>group mode to "root"?

Just to make things easy, I'll assume your account name is "techchiq". 
It'll keep me from having to type "your usual account" over and over again.

What I'd do is, instead of making techchiq's group be "root", just add 
techchiq to the root group. In /etc/group, on the first line, it should 
already say:

    root::0:root

Append ",techchiq" to it to make:

    root::0:root,techchiq

This way, user techchiq is a member of the root group *as well as* her own, 
and can modify any group-writable files that are group-owned by root.

(The techchiq user will have to log out and log back in again for these 
permissions to take effect on her account.)

>Also, I have a couple folks that may use my machine so I want to make
>accounts for them too. One would be my boyfriend, who knows little about
>computers (he's learning :) so I would like to set up something where he
>can't blitz nothing. Of course I wouldn't set him to root group! LOL!

Just giving him a normal user account, user "boyfriend", group "boyfriend" 
(or a member of group "users" if you're using one of the distros that 
doesn't give every user their own individual group) should make it so the 
only things he can blitz are his own files. Yes, he'll have the ability to 
completely FUBAR or even delete his own home directory, but nothing else.

>Then there's another friend of mine who we all call "The Wizard" (what
>his wife nicknamed him). I would like him to have his own account (not
>root) and have superuser priveledges to do what he needs to in case he
>needs to fix something or show me how to fix things. How would I set up
>his account?

The really secure way would be to set up sudo and configure it so he can do 
certain things (with root privileges) but not others. However, sudo is a 
royal PITA to configure.

You could just give him the root password and trust him.

Alternatively, if you don't trust him that much, you could have him come 
over to show you stuff. Log in a root session yourself, then sit him down 
at the keyboard. This allows him to do things with root privileges without 
giving him the root password.

Of course, if you think you might need him to long in remotely and rescue 
you from some mistake, that might not be sufficient. It all depends on just 
how much you trust him, and how much power you want to give him. Others may 
well be able to suggest better options, or walk you through a sudo 
configuration.

                                                 --Kai MacTane
----------------------------------------------------------------------
"I am the storm. My voice is the river.
  Take from me, I fade into you..."
                                                 --The Last Dance,
                                                  "Fairytale (the Storm)"

More information about the Techtalk mailing list