Subject: Re: Setting user permissions for lab courses
To: Roby Sadeli <netcitizen01@yahoo.com>
From: Bruce Anderson <brucea@spacestar.net>
List: netbsd-help
Date: 08/18/2001 07:15:31
I should add that there is another side effect to using chflags(1)
on a users home directory:
Files and directories directly below are append only and can not
be deleted or renamed.
To avoid a buildup of unwanted files and folders you may need to:
a) Include a README file explaining the behavior.
b) Set $HOME to a directory below username as default.
ex. .profile HOME=/home/brucea/comc1867
HOME=/home/brucea/brucea
Better ideas Anyone? Time for a chroot jail?
BA-
On Tue, Aug 14, 2001 5:36 AM, Bruce Anderson <mailto:brucea@spacestar.net>
wrote:
On Sun, Aug 12, 2001 8:10 AM, Roby Sadeli <mailto:netcitizen01@yahoo.com>
wrote:
>G'day folks,
>
>i'd like to ask for suggestions for my problem here :
>i have a netbsd 1.5 which is used for lab courses.
>there are several lab courses, for example:
>1. algorithms
>2. database_programming
>
>and i've got students in my server as follows :
>username group courses taken
>rot student algorithms
>dummy student database_programming
>brainy student algorithms, database_programming
>guru teacher
>
>i want all students *not to share* their works with one
>another and make
>sure the teachers
>can access the students' work in their home directory.
>
>i come up with a solution like this :
>* change students' directory permission to 750
YES.
>* change owner of students' directories to teacher
>(freebsd keeps telling me that the owner of the
>directory doesn't belong to the owner)
This should be:
Student is OWNER of home DIR.
Student is must not be a member of GROUP teacher.
Place all students in GROUP users only.
Add all instructors to GROUP teacher.
>* blocking chmod (but sometimes the students use this)
>
>i'm sure better solutions exist.
>
>thanks in advance,
>roby
>
You can stop chmod(1) by using chflags(1) to lock the
students home DIR.
Use the "sappnd" (system append-only flag (super-user only)).
Note that after using chflags(1), changing|removing|moving
a student's DIR will requier kern.securelevel < 1 in order
for chflags(1) to unset the system flag.
You need to build your kernel with:
options INSECURE
See init(8) for why.
PS.
Don't forget to write this up in a man page as part of your
local useradd(8) modifcations.
Read chflags(1) init(8) options(4) ls(1)
CHFLAGS(1)
Flags are a comma separated list of keywords. The following
keywords are currently defined:
arch set the archived flag (super-user only)
opaque set the opaque flag (owner or super-user only)
nodump set the nodump flag (owner or super-user only)
--->> sappnd set the system append-only flag (super-user only)
schg set the system immutable flag (super-user only)
uappnd set the user append-only flag (owner or super-user only)
uchg set the user immutable flag (owner or super-user only)
Putting the letters ``no'' before an option causes the flag to be
turned off.
INIT(8)
0 Insecure mode - immutable and append-only flags may be changed.
All devices may be read or written subject to their permissions.
1 Secure mode - system immutable and system append-only flags may
not be turned off; disks for mounted filesystems, /dev/mem, and
/dev/kmem are read-only.
OPTIONS(4)
options INSECURE
Hardwires the kernel security level at -1. This means that the system
always runs in secure level 0 mode, even when running multiuser. See the
manual page for init(8) for details on the implications of this. The
kernel secure level may [be] manipulated by the superuser by altering the
kern.securelevel sysctl(3) variable (the secure level may only be lowered
by a call from process ID 1, i.e. init(8)). See also sysctl(8) and
sysctl(3).
LS(1)
-o Include the file flags in a long (-l) output. If no file flags
are set, ``-'' is displayed. (See chflags(1) for a list of pos-
sible flags and their meanings.)
---
The Long Format
If the -l option is given, the following information is displayed
for each file:
file mode
number of links
owner name
group name
file flags (if -o given)
number of bytes in the file
abbreviated month file was last modified
day-of-month file was last modified
hour and minute file was last modified
pathname
LS(1)
Ex.
root@cougar# mkdir -m 750 bruce
root@cougar# chown bruce:users2
root@cougar# chflags sappnd bruce
root@cougar# ls -lo
total 1
drwxr-x--- 2 bruce users2 sappnd 512 Aug 14 03:39 bruce
root@cougar# grep bruce /etc/group
wheel:*:0:root,bruce
users2:*:1001:brucea
root@cougar# su bruce
bruce@cougar$ pwd
/tmp
bruce@cougar$ mkdir bruce/home_work
bruce@cougar$ touch bruce/home_work/assn_1.c
bruce@cougar$ cat /var/log/messages >bruce/home_work/assn_1.c
bruce@cougar$ chmod 777 bruce
chmod: bruce: Operation not permitted
OK.
brucea@cougar$ cd /tmp
brucea@cougar$ ls -loRF bruce
total 1
drwxr-xr-x 2 bruce users2 - 512 Aug 14 03:50 home_work/
bruce/home_work:
total 3
-rw-r--r-- 1 bruce users2 - 2504 Aug 14 03:51 assn_1.c
brucea@cougar$ tail -n 1 bruce/home_work/assn_1.c
Aug 14 03:49:13 cougar named[105]: XSTATS
OK.
Change /etc/Group
root@cougar# grep bruce /etc/group
wheel:*:0:root,bruce
brucea logs out and back in.
brucea@cougar$ cd /tmp
brucea@cougar$ ls -R bruce
ls: bruce: Permission denied
brucea@cougar$ tail -n 1 bruce/home_work/assn_1.c
tail: bruce/home_work/assn_1.c: Permission denied
" Stamp out root logins . . . . su " --Bruce Anderson
This message was created and sent using Cyberdog 2.0, MacOS 8.6,
awk, find, sed, sendmail, sh, and NetBSD a free Multi-Platform OS.
NetBSD runs on thirty-one different system architectures featuring
twelve distinct families of CPUs. http://www.netbsd.org/