I have opensuse 10.3 box to my web directory where I hold
all web pages I login only with root. By default I can change anything on my box with root. Now I need to give temporary access right to one user on my opensuse 10.3 box.
Users are allowed to modify their directories/folders under /HOME/USER, but now I want to give to that USER a permission to access and modify SRV/WWW/HTDOCS/folder.
Since I have more folders in HTDOCS I only want to give access to that user for one folder in HTDOCS. To one that I’ll create for him. I don’t want that he download or change anything else on my box such as postfix, mysql, etc.
Create a new group, add needed users to that group. Change ownership on the folder that you wish to give the user access to that group and give them suitable permissions.
What there could go wrong if I login to my box with ROOT.
Usually I use root login for WEBMIN, WinSCP, Putty.
I see no diference if I move around WEBMIN with root or ANY-USER login who’s got same permissions as root?
Or, am I missing something?
OK. Let’s say, is it possible to make a folder permissions for a user in YAST?
The ‘root’ account isn’t necessarily evil, it’s just necessarily
powerful as it is THE superuser. As such if you login with it you can
do anything and, because how *nix OS’s are designed (properly), this is
not usually necessary. For example for web administration (manipulating
html, php, etc.) ‘root’ should NEVER be used because there’s no way you
need it. For manipulating services like Apache on the service level
‘root’ may be required but should only be used for making the changes
that require root’s power.
Logging in directly as ‘root’ is typically a no-no because you can’t
tell who did it. Who SSH’d in as ‘root’? If you disable root logins a
user on the system must login using their own credentials first so there
is an audit trail of who actually performed the login. For somebody
trying to steal passwords by watching admins typing them this means they
must now steal two passwords (regular user and root) to get privileged
power.
The difference between using ‘webmin’ as root or somebody else depends
on how webmin is implemented. If actually uses the credentials of the
user logged in then using ‘root’ means you have no protections
implemented by the filesystem against accidents (mis-clicks, typos,
etc.). If webmin uses some set of credentials regardless of who logs in
and then limits the user from there the same applies but then on an
application (instead of filesystem) level. It all goes back to the
concept of “least privilege”. Don’t use more than you need for a
specific task and, when needed, require a way to track the login back to
a real person (doubtful you have an employee whose name is ‘root’ so
that doesn’t fit the bill).
Good luck.
erik100 wrote:
| Still confused!
|
| What there could go wrong if I login to my box with ROOT.
| Usually I use root login for WEBMIN, WinSCP, Putty.
| I see no diference if I move around WEBMIN with root or ANY-USER login
| who’s got same permissions as root?
|
| Or, am I missing something?
|
| OK. Let’s say, is it possible to make a folder permissions for a user
| in YAST?
|
| If yes, how?
|
| Sorry for my ignorance :o
|
| PS. I welcome all PM support suggestions.
|
| Erik
|
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
Here’s how to make a directory called “dirname” at location /pathto/dirname and then change the ownership to billybob and then change the permissions to limit access. billybob is a normal Suse user.
As root user open a console and create the directory
mkdir /pathto/dirname
Make owner to be billybob:
chown billybob:users /pathto/dirname
Change the permissions:
The directory was created as drwxr-xr-x; i.e. u(user)=rwx, g(group)=rx, o(others)=rx
Example 1: suppose you want to change it to drwx------ do this:
chmod u=rwx,g=,o= /pathto/dirname
Example 2: suppose you want to change it to dr–r–r-- do this:
chmod u=r,g=r,o=r /pathto/dirname
Example 3: suppose you want to change it to drwx–x–x do this:
chmod u=r,g=x,o=x /pathto/dirname
Or whatever you want, just alter this bit to match the mask: “u=?,g=?,o=?”