Per Jessen schreef op 11-04-16 08:06:
Carlos E. R. wrote:
No, you can't. You can use tricks, but there is only one root, and he can not delegate that easily - except with sudo and groups. And acls.
You can not define a root.for.mail admin that can do anything on all the mail directories and programs. Instead, you have to modify the permisions for groups on those directories, specify sudo commands for anything he might need, and provision for files that on creation/modification on those directories have appropriate permissions so that he has full control of them.
A Windows server admin has a more complex and fine grained set of permissions, including creating partial administrators. Hey, I'm a Linux guy, but the truth is the truth... Not that it is simple in Windows, either. Far from it.
Say, a backup admin. In Linux it has to be root.
It's not that you can't do it on Linux, it's simply that noone has put any (or enough) effort into developing a framework for managing and delegating permissions and such. You can actually do quite a lot with sudo, but yes, it's cumbersome.
Thank you for thinking on this. Personally I think you can get very far with what Carlos here describes, but it is also the only way. "Instead, you have to modify the permisions for groups on those directories, specify sudo commands for anything he might need, and provision for files that on creation/modification on those directories have appropriate permissions so that he has full control of them." Indeed, this is what the group feature provides. I don't really have a need for anything else at this point. It is just annoying to know how any specific application must be told to give g+w permissions to everything. And to discover if that will introduce any risks. I don't think there is yet a filesystem provision that you can say: this directory tree? Everything g+w, no matter what anyone says. In effect if you were in the position to code it, the most effective thing would be a daemon that just monitors a tree you have told it to monitor, and just fix any permissions as required. I wouldn't mind making something like that. (But I have no skill in C and system development yet). These 3 things: - group-based permissions for a certain tree - automatic "group" ownership for all included files (g+s) and automatic group permissions for all included files (g+w) - a daemon that monitors permissions and corrects them if wrong Is really something I would like to achieve.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org