[CaludonAdministrator]

Am I right in saying, that to make a user have administator access I just add them to the adm group

usermod -G group1,group2,adm ftpuser

Having problems with getting my ftpuser in pure-ftpd to be able to access a web sites files for updating etc... I know this is overkill in terms of rights, but I just wanted to make sure it is a security issue by giving them full access and then refining it later via access to another more appropriate group.

I have added the user to adm, but still have the problem - am I adding them to the right group or are there more, I've also added them to root.

NB: pure-ftpd is Chrooted, but I have set up some mount --bind commands so that the ftp user can have logical access to the apache area.

[geniuz]

Why in the world would you want to give a user full admin rights ??
I must strongly warn you about that, IT IS NOT SAVE !!

It's one of the most secure things about linux that a user can't destroy anything and it's the main reason why linux isn't as vulnerable as linux to viruses...

[CaludonAdministrator]

I did try to stop this type of response by saying that in my original posting.

I know all of that, I wanted to determine if it was a permissions issue that was causing the problem.

However thanks for your pertinent reminder of the obvious.

And, would you not want to give full admin rights to the administrator it you did not want to use root?

If someone can answer my question and trust me to not by negligent with the the information that would be appreciated.

Thanks

[hazel]

I would do it via /etc/sudoers and not give ALL access, just the set of commands this person needs to do what they have to do.

[geniuz]

Quote:

Originally Posted by CaludonAdministrator

I did try to stop this type of response by saying that in my original posting.

I know all of that, I wanted to determine if it was a permissions issue that was causing the problem.

However thanks for your pertinent reminder of the obvious.

And, would you not want to give full admin rights to the administrator it you did not want to use root?

If someone can answer my question and trust me to not by negligent with the the information that would be appreciated.

Thanks

I just don't understand, that's all. Root is also a user...only a superuser, so why can't you use root to do all your administrative tasks...I don't see the point in having a second superuser...

[Freston]

Giving the user sudo rights, as Hazel points out, might be just what you're looking for. You must edit the sudoers file with visudo.

I think that is safer and easier than adding the user to the root group. Also, root-owner and root-group permissions are often not equal. Therein may lie your problem with the permissions you mentioned.

Quote:

Originally Posted by geniuz

I just don't understand, that's all. Root is also a user...only a superuser, so why can't you use root to do all your administrative tasks...I don't see the point in having a second superuser...

Well, that is not entirely true. Root isn't as much a user, root is the system itself. By running as root, you trick the system into believing you are part of it.

I can understand the need for elevated rights for certain users, specially on larger systems. But I do think geniuz is right in that you should be aware that every method to raise permissions for an user has security implications.

The question is not only "does it do what I want" but also "doesn't it do what I don't want"
Hence, I think you might want to remove the root group from the user, as both root-group and sudo rights make less transparant how your permission system is set up. If you ask me, it's better to have either one or the other.

[geniuz]

Quote:

Well, that is not entirely true. Root isn't as much a user, root is the system itself. By running as root, you trick the system into believing you are part of it.

I can understand the need for elevated rights for certain users, specially on larger systems. But I do think geniuz is right in that you should be aware that every method to raise permissions for an user has security implications.

The question is not only "does it do what I want" but also "doesn't it do what I don't want"
Hence, I think you might want to remove the root group from the user, as both root-group and sudo rights make less transparant how your permission system is set up. If you ask me, it's better to have either one or the other.

Interesting...I always thought root was just a user only with full access to each file and setting in the systems..isn't that the whole purpose of root ? to keep "normal users" away from destroying anything crucial in the system ?

Aww well, it was proved again you learn by the minute here

[SagaciousKJB]

To me it sounds like a problem with the file permissions themselves.

Basically, adding a user to "adm" isn't going to give them super privileges, it's just going to give them the permissions applied to group to any file that is owned by the group "adm". I'm pretty sure that this is the same with "root", so it wouldn't really supersede permissions like actually using the root account would, but just gives you whatever permissions root has for a specific file.

I had a similar issue when setting up vsftpd and chrooted dirs. I wanted users to have access to webspace that was located over a samba share, but if I setup a different user to own those files on the local account where they were, then the account that already owned them would lose acces due to certain other factors. Basically, I needed to find a way to give users on one machine rights to view certain files in a directory on the other machine owned by one user, but not any of the other files in the directory, the directory itself or its parents, nor any other file owned by the remote user.

So I used mount --bind as well, because I found that trying to juggle around users and groups, and try to setup file permissions through chroots, was pretty much impossible without opening up some other hole. "mount --bind" was pretty much designed for being sued with chroots, as far as I know.

[Geeth]

As stated before.
sudo <command>

Would be the best option. The first time you are asked for the pass (which is the user pass) then it stays 'remembered' for 15 minutes. It's only 4 extra letters per command and you get used to it fast.