sunhelp at sunhelp.org
Tue Jan 30 20:14:58 CST 2001
On Tue, Jan 30, 2001 at 08:21:05PM -0500, Alan Rubin wrote:
> I have a group of users with user A being the supervisor. I need to
> create user accounts on a server, but A needs to have access to all of his
> subordinates files, while allowing each user to otherwise be private.
> What is a good scheme to accomplish this? User A can not be root. I'm
> sure this is fairly simple, but I haven't worked out my plan yet and was
> just hoping to hear a few suggestions.
Put the supervisor in some group (e.g., pinheads), chgrp
all of the users' home directories to that group, and set the
mode of the directories to 2750. This is necessarily an imperfect
solution: while it does allow the supervisor to access all of
those home directories (and all of the subdirectories therein),
a saavy user can remove the sgid bit from their home directory,
which means the new files and subdirectories won't be 'owned'
by group pinheads.
Of course, you can always craft a solution with sudo as well.
More information about the SunHELP