On Fri, Mar 30, 2012 at 13:09, Dr Beco <r...@beco.cc> wrote: > Hi there wlan and Keith, > > I'm not so sure it's that simple, but I would be glad if it is. > > When I say "browse", I mean through ftp or through commands in a login > session with bash, like 'cd' or a simple 'ls /etc'. > > (I thought the "subject" would make it clear, ssh and ftp, but > actually it is bash and ftp) > > Also, if a student is simply a 777 permission, they all can spy on > each others files, buy issuing things like > $cp /home/sam/samfile.txt /home/simon/ > > If all this can be done using only group permissions, I would need > help to learn more about how to setup it, because I don't know how > it's done. > > Thanks, > Beco >
Off the cuff: all student dirs have a group owner of "professors" with rwx perm, and students are not in that group. Professors are in group "professors" and the group owner of their dirs is "professors" but the perms for group are blank (or make the group owner "admins" or something). Make use of sgid and umask so everything stays proper. Not sure about chrooting. Is that really needed? I think that should work if you just want to stop casual interference/reading. If you want to presume that students and/or professors may mount sophisticated, persistent attacks, you need to setup much more serious security, probably including ACLs, Capabilities, SELinux, restricted shells, etc. I am not a security expert at all, salt to taste. Cheers, Kelly Clowers -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAFoWM�UsRad4YJS91r8U7CLgKrdTS8tR=9-kfjvd0pcfd...@mail.gmail.com
