Find the answer to your Linux question:
Results 1 to 6 of 6
Problem was to allow teachers to access pupil home-dirs. Achieved this by putting admin users = staff, but that creates a problem in that if a staff member opens and ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2006
    Posts
    5

    how to stop admin user changing permissions


    Problem was to allow teachers to access pupil home-dirs. Achieved this by putting admin users = staff, but that creates a problem in that if a staff member opens and saves a word doc in a pupils home dir then the file permission for "user" are changed to root and the pupil cannot write to their own document again.
    Tried setting suid on pupils home dir but this does not work when admin user is used.

    Any suggestions.

    The other solution to the original problem was to use acl's (I think) but these have not been installed on our unbuntu samba server and some linux users express need for great caution (i.w. try it out on spare partition (which dont have) first. so pefer to find another solution if possible.

  2. #2
    Super Moderator Roxoff's Avatar
    Join Date
    Aug 2005
    Location
    Nottingham, England
    Posts
    3,847
    Normally, you put the individual teacher into the pupils group, and adjust group permissions on the directory/ies involved.

    Alternatively you can change the group on all the pupils home directories, and put all the teachers into the new group, and give access that way, but you'd still need to ensure that the group access was available.

    The solution is certainly NOT to give teachers any admin rights, unless they actually know what they are doing.
    Linux user #126863 - see http://linuxcounter.net/

  3. #3
    Just Joined!
    Join Date
    Nov 2006
    Posts
    5
    Thanks.
    If I understand it correctly and put both pupils and staff in the same group and give them access to pupils home-dirs, then all the pupils could also browse through other pupils work, something we do not want.
    Also giving a group admin user rights in smb.conf to [students] does not give them admin rights on anything else as far as I can see, only on the directory students - It is not a good solution so I am hoping a better one will come along.
    Peter

  4. #4
    Super Moderator Roxoff's Avatar
    Join Date
    Aug 2005
    Location
    Nottingham, England
    Posts
    3,847
    Quote Originally Posted by peter@kkvs
    Thanks.
    If I understand it correctly and put both pupils and staff in the same group and give them access to pupils home-dirs, then all the pupils could also browse through other pupils work, something we do not want.
    Also giving a group admin user rights in smb.conf to [students] does not give them admin rights on anything else as far as I can see, only on the directory students - It is not a good solution so I am hoping a better one will come along.
    Peter
    Er... yeah - the pupils get the group privilege rights if you put them in that group. If you dont put the pupils in that group - they'll still have user privilege to their own directory anyway.

    And you never mentioned samba till now, although I did suspect it was to do with that.

    Anyway, I've always found it much easier to enforce Linux UID/GID privileges rather than Windows ones when Samba is involved - the OS handles it natively, rather than in an overlay where things can get lost in the translation.
    Linux user #126863 - see http://linuxcounter.net/

  5. #5
    Just Joined!
    Join Date
    Nov 2006
    Posts
    5
    Thanks for your assistance. I have tried this and there are still some problems. (Samba is installed but as standalone server so all permissions/groups etc have to be done on linux)
    the path to the student home-dirs is like this (eample)
    /home/students/mathayom6/pupil-home-dir
    If the student and mathayom6 directories are given root and staff as user and group owner then staff can access pupil files but the students cannot. If the students and mathayom dirs are given user as the group owner then students can access their home-dirs but staff cannot.
    I tried using a common group for staff and students to give them access to these directories and that worked ok, only downside was that students could see the whole student directory tree. I would prefer that students could only see what they were allowed to access.
    Peter

  6. #6
    Super Moderator Roxoff's Avatar
    Join Date
    Aug 2005
    Location
    Nottingham, England
    Posts
    3,847
    OK, the best way I have of explaining this is with some examples; I'll user a username 'pupil' for the pupil and 'teacher' for the teacher, I'll also set up a group 'shared', as you have done above.

    snippet of /etc/group:
    Code:
    pupil:x:500:
    teacher:x:600:
    shared:x:101:teacher,teacher1,etc...
    Fix the ownership of the homes for each pupil:

    Code:
    #ls -l /home
    drwxr-x---  1  pupil   shared   4096   Nov 13 09:30 pupil
    you do this with:
    Code:
    chmod 750 /home/pupil
    chgrp shared /home/pupil

    This makes the '/home/pupil' directory read/write/execute accessable by 'pupil', and give 'read/execute' permission to anyone in the 'shared' group. Most importantly, other pupils are not part of the 'shared' group, so they cant get into the directory.
    Linux user #126863 - see http://linuxcounter.net/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •