On Monday 13 March 2006 9:26 am, Drew Burchett wrote:
OK. I understand what you're saying here, but I'm from a Windows environment and not really used to Linux permissions. Basically, I have three users who are administrators on this server (all my servers actually). The whole purpose of authentication against the Active Directory is so that I can provide single sign-on capability to these users and just give root a complex password that I don't have to give out to everyone. If they have to su to do anything on the box, then there's really no point in using AD authentication. Is this the case, or is there some way I can assign certain permissions to these users? The way Unix and Linux systems are set up and have been set up, is that regular users are authenticated either locally or remotely (by NIS or AD). However, the root privilege is assigned on a per system basis.
The su(1) command allows a user who knows the root password to become the
super user (eg root).
The sudo(1) command uses a protected file, /etc/sudoers, that extends
privileges to users. You can give them all the privileges, and require a
password (their user password, not root's). You can also set up sudoers to
not require a password for specific users, and you can restrict a user to a
limited number of tasks.
----
Unix/Linux permission scheme:
Every file (and directory) has a set of permissions for the owner, the
group, and everyone else. These are read, write execute. These work
reasonably well.
-rwxr-xr-x 1 root root 490716 2005-09-09 12:12 /bin/bash
Note that /usr/bin/bash is read, write, execute for the owner (root), and
read-execute for the group and everyone else.
drwxr-xr-x 2 root root 65192 2006-03-13 07:42 bin
In this case, bin is a directory (/usr/bin in this case)
The execute bit on a directory means that you allow someone to cd into the
directory. The read-bit means that you allow someone to look into the
directory such as with ls.
drwxr-x-- 2 root root 65192 2006-03-13 07:42 foo
In the above case only root and those in root's group can enter or see the
directory but only root can make changes in the directory.
In addition, you can install ACLs, but you must actually set them up.
--
Jerry Feldman