[Techtalk] Group Permission Security Question

perimorph perimorph at mindspring.com
Sat Oct 18 13:42:08 EST 2003 

On Sat, 2003-10-18 at 04:16, TechChiq wrote:
> Is it bad security to set a certain user's
> group mode to "root"? 

I would consider it a poor decision, since the point of having regular
users and a root account is that the regular users shouldn't be changing
system settings (and possibly messing them up) -- if your account has
root privileges, then you no longer have the benefit of being unable to
Make A Big Big Mess accidentally.  Like typing "rm -rf * " in the wrong
directory....  ooops!

> so I would like to set up something where he
> can't blitz nothing. Of course I wouldn't set him to root group! LOL!

If you make sure that most everything besides his home directory doesn't
have write permission for World except for groups he's not in (i.e. root
group, or if you make another group, etc), then it should be fine. 
That's how it's supposed to be set up from the beginning, anyhow.

When you look at the directory listing (using ls -l), it shows you the
permissions..  Something like -RWXRWX-R-X owned by (user) root / (group)
root would be right -- regular users can read and execute, but not
overwrite or delete.  Just remember, directories have permissions too --
and to cd into a directory, you need execute permission -- not read
permission.  That tripped me up a lot when I started!

Remember, the permissions set goes "Owner, Owner's Group, World" --
sometimes, people mistakenly think the first one is root.  Which would
be silly, since root can do whatever she damn well pleases.  ^_-

> I would like him to have his own account (not
> root) and have superuser priveledges to do what he needs to in case he
> needs to fix something or show me how to fix things. How would I set up
> his account?

Best option is to use the program "sudo" (SuperUser DO) -- if you set up
his account as one allowed to use it, he can temporarily gain root
privileges without knowing the root password.  The permission expires
after a few minutes of not being used, so it's less likely he'd
accidentally mess anything up.  :)  Many distros install this unless you
say not to, and it sits harmlessly until you make the list of who's
allowed to use it.  "man sudo" should tell you if it's installed and if
so, how to set it up.

--ashleigh

More information about the Techtalk mailing list