Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Sub-root administrative users?

Status
Not open for further replies.
linuxpyro

linuxpyro

Technical User
Feb 11, 2003
38
US
I am setting up a server running Gentoo for Web, Mail, SMTP, IMAP, MySQL, and possibly DNS hosting. I will be hosting my own site, as well as a few domains for some friends. My plan is to give each Website a unique group, so that the site can have multiple members with permission to change it. What I would like to do, however, is create a sort of sub-root admin, someone with permission similar to that of the root user. In other words, the account would not have permission to run, say, init scripts, yet would be able to read/write/execute all the files/directories each group would set up.

I've thought about creating an account and putting it as a member of each new group, but then a member of that group could still adjust the chmod permissions to block the administrative user out.

Any suggestions? I've used Linux for a while, but have never had to deal with a situation quite like this. I just want to have admin access to the various sites, yet without being able to accidentally delete something important, as with root. Thanks for any info.
 
Sort by date Sort by votes
Your approach sounds like a matter of policy rather than of technology. Anyone who blocks the sub-admin from their work should have their account disabled and changes made to restore sub-admin service.

D.E.R. Management - IT Project Management Consulting
 
Upvote 0 Downvote
I see what you're saying, and I would set up a terms of service agreement and probably put something like that in there. However, I would rather not get things to the point at which I am telling people exactly what they can chmod their files to. Also, I would rather it not be possible too.
 
Upvote 0 Downvote
Well, the linux/unix administrative hierarchy is really a two-tier model - the haves and the have-nots.

Root has a group that you could add more users into, but that solves nothing here and isn't very good practice anyways.

You COULD add users into every group that runs the services you talked about. Normally email, web, database, etc all require groups to be added to deal with services/daemons having access to their folders/files under the group priv.

I'm really struggling with how to do this well...

Have you checked into how Plesk and other "oversight" solutions do their perms? My guess is that they set the groups/perms and if the user messes with them then the services break down.

I mean really, your only alternative for a sub-admin to fix something a user has tried to obfuscate would be to go 'root' and deal with it...

Doubt I've helped....

D.E.R. Management - IT Project Management Consulting
 
Upvote 0 Downvote
I think I might just go the route of adding a user to each group, even though it doesn't seem to be the best solution. I'll post if I find anything better, thanks for your responses.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

SamBones
  • Locked
  • Question
How Do I Start/Stop Systemd Services as a non-root User?
Replies
2
Views
767
gbaughma
gbaughma
bazil2
  • Locked
  • Question
Help in jailing SSH users 1
Replies
2
Views
137
ChrisHirst
ChrisHirst
theniteowl
  • Locked
  • Question
Extracting specific files from a folder full of tar.gz files and writing them to a sub-folder 1
Replies
2
Views
264
theniteowl
theniteowl
bazil2
  • Locked
  • Question
Forcing HTTP to HTTPS and redirecting specific sub-page visitors to different URL 1
Replies
5
Views
171
vacunita
vacunita
Scunningham99
  • Locked
  • Question
root user changed to Init cap by mistake
Replies
1
Views
78
IRudebwoy
IRudebwoy

Part and Inventory Search

Sponsor

Back
Top