dgiessen
asked on
User levels
We are running on Tru64 v5.0a and I'd like to set up 3 levels of users:
root - full root access/functionality
admin - root access (all directories)
user - rwx permission for their directories only
I don't want to have to use the option of logging in as an admin level user and shelling to root, I would like full accesibility to all directories without having access to commands available to the root user.
I tried setting up an admin account with the same primary and secondary groups as the root user, but that didn't do anything (I thought since root belonged to specific groups, that any other account belonging to the same groups would have equal access).
The root user is taken care of. I understand how to set up the groups and directory permissions for users based on the group, its the admin level account I need to figure out.
Thanks
root - full root access/functionality
admin - root access (all directories)
user - rwx permission for their directories only
I don't want to have to use the option of logging in as an admin level user and shelling to root, I would like full accesibility to all directories without having access to commands available to the root user.
I tried setting up an admin account with the same primary and secondary groups as the root user, but that didn't do anything (I thought since root belonged to specific groups, that any other account belonging to the same groups would have equal access).
The root user is taken care of. I understand how to set up the groups and directory permissions for users based on the group, its the admin level account I need to figure out.
Thanks
It doesn't work that way in Unix. Users with UID 0 (i.e., root) can do "everything". Other users are restricted by file permissions and also by not being able to do certain security and administration tasks. The way to do this is to login as yourself and then "go root" when you need to with 'su'.
Hmm, well, there's one othe way of doing it...
You can install sudo (a free tool) and write a little script that runs with root permissions and gives certain lognames access to a limited set of operations on all files.
You can install sudo (a free tool) and write a little script that runs with root permissions and gives certain lognames access to a limited set of operations on all files.
ASKER
I'd rather avoid any scripts or using su to access root permissions.
What about this scenario:
You have 2 groups: alpha, beta
You have 2 directories with ownership set as:
dir1 = group alpha
dir2 = group beta
Now you have 2 users:
user1 belongs to the alpha (primary) group
user2 belongs to the beta (primary) group and alpha (secondary) group
Shouldn't user2 be able to access dir1 and dir2?
On our system, this does not work. User2 can only access a directory that matches his primary group, not anything in his secondary group. If this is the way its supposed to work, whats the purpose of the seondary group?
Is it possible to get this to work?
What about this scenario:
You have 2 groups: alpha, beta
You have 2 directories with ownership set as:
dir1 = group alpha
dir2 = group beta
Now you have 2 users:
user1 belongs to the alpha (primary) group
user2 belongs to the beta (primary) group and alpha (secondary) group
Shouldn't user2 be able to access dir1 and dir2?
On our system, this does not work. User2 can only access a directory that matches his primary group, not anything in his secondary group. If this is the way its supposed to work, whats the purpose of the seondary group?
Is it possible to get this to work?
Yes, the users should be able to access things from both their primary and secondary groups. Maybe there's some True-64 specific magic here, though. I don't know True-64.
The group functionality should work only if permission is given to "group".
Eg.
-rwxrwx--- for directories
-rw-r----- or
-rw-rw---- for files.
So if the directory "dir1" only has -rwx------ then group beta will not be able to access any file, and so on.
Look at all permissions, and if you can't make it work could you post an example with all the permissions of the upper level directories and of the files involved so we can have another go.
Cheers
FF
Eg.
-rwxrwx--- for directories
-rw-r----- or
-rw-rw---- for files.
So if the directory "dir1" only has -rwx------ then group beta will not be able to access any file, and so on.
Look at all permissions, and if you can't make it work could you post an example with all the permissions of the upper level directories and of the files involved so we can have another go.
Cheers
FF
If you don't like chris_calabrese's script suggestion, I think you stiil endup have to use "su" or "sudo"
No comment has been added lately, so it's time to clean up this Topic Area.
I will leave a recommendation for this question in the Cleanup topic area as follows:
- PAQ & refund points
Please leave any comments here within the next 7 days
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER !
tfewster (I don't work here, I'm just an Expert :-)
I will leave a recommendation for this question in the Cleanup topic area as follows:
- PAQ & refund points
Please leave any comments here within the next 7 days
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER !
tfewster (I don't work here, I'm just an Expert :-)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.