Carlos E. R. wrote:
On Monday, 2016-04-11 at 08:06 +0200, Per Jessen wrote:
Carlos E. R. wrote:
Say, a backup admin. In Linux it has to be root.
It's not that you can't do it on Linux, it's simply that noone has put any (or enough) effort into developing a framework for managing and delegating permissions and such. You can actually do quite a lot with sudo, but yes, it's cumbersome.
Well, the way I think about it, we would need privileged UIDs.
Think of a backup admin: he needs execute permissions on all directories, and read access on all files, and those permissions must be assigned by default to all new files and directories. In effect, he needs read access to all files owned by UID 0.
If somebody needed a backup admin, you're right. What I think somebody might need is a "storage admin" who will for instance manage when, what and how backups are made, but it would not mean he/she would have access to any of those backups. For _running_ the backups, some areas might still require root, but far from all. The backup process for a mysql database would require the user for that instance. The backup process for an apache vhost would require the user for that vhost. etc etc. There is software for that sort of thing out there, just not open source (as far as I have seen). Try googling e.g. "unix admin separation privileges". It's been practised at the enterprise level for decades, AIX, HP-UX and Solaris have probably all had this functionality for quite some time. -- Per Jessen, Zürich (13.1°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org