Message Board -  Archive

[ Login ] [ Create Account ]
[ Board List ] [ View Board ] [ Post Reply ]
  Author  Subject: Re: User and Group Administration

Posted on 01-28-2003 01:34 p.m. ET  reply

Original Poster: Mark Krentel

S.B wrote:
> The easiest way to resolve this is to create a new group (groupadd -g #
> <gname>) and place everyone into it as a secondary member (usermod -G
> <grp#>). Then do a chmod -R 760 /home (this will change the group
> permissions on all the userdirs at once).

This is very heavy-handed and I strongly recommend against it. Users
are allowed to set the permissions on files they own, and you can't
just unilaterally whack them like this. That would be a policy
decision (and a bad one), not an administrative solution. [Btw, 760
is the wrong mode (adds owner execute permission to every file) and
the chmod won't really help unless you also chgrp to the new group.]

Unix groups don't really provide a good way to do this. Users can
belong to multiple groups, but every file has only one owner and one
group. Groups are used on a project by project basis for a group of
users to share files. It's just not viable to usurp the group for an
administrative task.

It would help if you told us why the administrator needed read and
write access to everyone's files. That's a somewhat unusual request
and is also a policy decision. Anyway, depending on that purpose,
there's probably a better solution. For example, sudo may be what you
need. Sudo allows a user to run a restricted set of commands as root
without giving them full root access.


< Previous 1 Next >

Site Contents