Re: Perl administration for Linux fileserver

From: Brian Hatch (focus-linux@ifokr.org)
Date: 02/06/03

  • Next message: Erik Roberts: "Re: Perl administration for Linux fileserver"
    Date: Thu, 6 Feb 2003 10:15:44 -0800
    From: Brian Hatch <focus-linux@ifokr.org>
    To: Jos Kirps|EducDesign <jos.kirps@educdesign.lu>
    
    
    

    > I would like to set up a Linux based file server accessible for Linux,
    > Windows and Mac clients.

    You failed to say what file sharing protocol. SMB/CIFS ('windows'
    networking) would be fine with samba. Old Mac use netatalk (appletalk)
    but Mac OS X can use samba, appletalk, even NFS.

    > The administration shall be done remotely
    > (web based GUI on a client machine) using Perl scripts. The Perl
    > scripts must be able to:
    >
    > - add and remove directories on the server (that's not the problem)
    > - add and remove users (username & password -> problem)
    > - set access rights for the created directories (-> also a problem)

    All of these are easy enough using sudo to run actions as root.
    We were just talking about this last week or the week before on
    this list, so check the archives.

    > - To add users that shall be able to access the fileserver, do I have to
    > create 'real' unix user accounts, or can I use something like the
    > '.htaccess' users as used by Apache (users in .htaccess files can
    > only access web directories via Apache, they don't have any other
    > rights on the server). I would prefer such a solution to limit what
    > people with a fileserver account can do on the server.

    Depends on your protocol. If you use samba, you could add and
    create accounts by modifying /etc/samba/smbpasswd, which has no
    relation to actual Linux accounts. Appropriate file perms for
    this could allow a non-root user to modify it. Netatalk requires
    actual unix accounts, though you may be able to create a custom
    PAM (pluggable authentication module) to let it work on fake
    passwd and shadow files, rather than using the actual Linux accounts.

    > - How can I tell my Linux box that only certain users shall have
    > access to a certain directory? Can I do this using something
    > similar to '.htaccess' / '.htpasswd' ? Or what services do I have
    > to use?

    Linux file permissions first, of course. However you can use the
    configuration of your software to do lots of fun tricks. For example
    with Samba you could restrict who could access a share, yet have all
    files be written by a single user id so all authorized users
    automatically have identitical access to the files. There are lots
    of options, and you'll need to do sufficient research into your
    software of choice to decide what you want to allow. Netatalk
    uses the group= option to restrict a mount point to users in a
    particular Linux group, for example.

    > - Do the scripts need root privileges to do all this, or is this
    > feasable running as Apache CGI script?

    If you need root, then do it via sudo, restricting access to only
    the commands you absolutely need.

    There is no 5 second answer to doing this - you need to read a
    lot of man pages before you can expect to do this securely.

    --
    Brian Hatch                  You can have
       Systems and                cheap, easy,
       Security Engineer          or secure.
    www.buildinglinuxvpns.net     Pick two.
    Every message PGP signed