Re: Perl administration for Linux fileserver

From: Brian Hatch (focus-linux@ifokr.org)
Date: 02/06/03

  • Next message: Erik Roberts: "Re: Perl administration for Linux fileserver"
    Date: Thu, 6 Feb 2003 10:15:44 -0800
    From: Brian Hatch <focus-linux@ifokr.org>
    To: Jos Kirps|EducDesign <jos.kirps@educdesign.lu>
    
    
    

    > I would like to set up a Linux based file server accessible for Linux,
    > Windows and Mac clients.

    You failed to say what file sharing protocol. SMB/CIFS ('windows'
    networking) would be fine with samba. Old Mac use netatalk (appletalk)
    but Mac OS X can use samba, appletalk, even NFS.

    > The administration shall be done remotely
    > (web based GUI on a client machine) using Perl scripts. The Perl
    > scripts must be able to:
    >
    > - add and remove directories on the server (that's not the problem)
    > - add and remove users (username & password -> problem)
    > - set access rights for the created directories (-> also a problem)

    All of these are easy enough using sudo to run actions as root.
    We were just talking about this last week or the week before on
    this list, so check the archives.

    > - To add users that shall be able to access the fileserver, do I have to
    > create 'real' unix user accounts, or can I use something like the
    > '.htaccess' users as used by Apache (users in .htaccess files can
    > only access web directories via Apache, they don't have any other
    > rights on the server). I would prefer such a solution to limit what
    > people with a fileserver account can do on the server.

    Depends on your protocol. If you use samba, you could add and
    create accounts by modifying /etc/samba/smbpasswd, which has no
    relation to actual Linux accounts. Appropriate file perms for
    this could allow a non-root user to modify it. Netatalk requires
    actual unix accounts, though you may be able to create a custom
    PAM (pluggable authentication module) to let it work on fake
    passwd and shadow files, rather than using the actual Linux accounts.

    > - How can I tell my Linux box that only certain users shall have
    > access to a certain directory? Can I do this using something
    > similar to '.htaccess' / '.htpasswd' ? Or what services do I have
    > to use?

    Linux file permissions first, of course. However you can use the
    configuration of your software to do lots of fun tricks. For example
    with Samba you could restrict who could access a share, yet have all
    files be written by a single user id so all authorized users
    automatically have identitical access to the files. There are lots
    of options, and you'll need to do sufficient research into your
    software of choice to decide what you want to allow. Netatalk
    uses the group= option to restrict a mount point to users in a
    particular Linux group, for example.

    > - Do the scripts need root privileges to do all this, or is this
    > feasable running as Apache CGI script?

    If you need root, then do it via sudo, restricting access to only
    the commands you absolutely need.

    There is no 5 second answer to doing this - you need to read a
    lot of man pages before you can expect to do this securely.

    --
    Brian Hatch                  You can have
       Systems and                cheap, easy,
       Security Engineer          or secure.
    www.buildinglinuxvpns.net     Pick two.
    Every message PGP signed
    
    




    Relevant Pages

    • Re: mac connectivity to linux
      ... Netatalk is the AFP type service for Linux. ... You will probably find configuring and using SAMBA much easier. ... We use SAMBA so that both Mac & Windows users can use it and I only have to administer one protocol for both kinds of users. ... 'Netatalk' is the service in linux that act as SAMBA file server for MAC OS. ...
      (RedHat)
    • Re: mac connectivity to linux
      ... Mac os X can also talk cifs which means you don't need netatalk ... 'Netatalk' is the service in linux that act as SAMBA ...
      (RedHat)
    • Re: Horrible problem with SAMBA -- Does Karmic work?
      ... I have tried numerous times to set up SAMBA so that students can log into ... so the accounts must be stored elsewhere. ... Students can log in directly to the server or via ssh. ... but they do not appear to record the workstations. ...
      (Ubuntu)
    • Re: Horrible problem with SAMBA -- Does Karmic work?
      ... I have tried numerous times to set up SAMBA so that students can log into ... so the accounts must be stored elsewhere. ... Students can log in directly to the server or via ssh. ... but they do not appear to record the workstations. ...
      (Ubuntu)
    • Re: I want to be convinced; convince me.
      ... Mac, but I'm having trouble convincing myself to do it. ... Windows 2000 has been very stable for me for many years, ... But, like I said, I haven't used 10.4 with Samba yet. ... Or is it an post-installation manual install? ...
      (comp.sys.mac.advocacy)