1

Each pupil belongs to one or more groups, e.g. yr-2015, yr-2016 (year of entry into college), sub-prog, sub-math, sub-logic (subjects).

It is also possible for a teacher to belong to these groups.

Is it possible to have a group leader: such that the teacher is the group leader, specifically:

  • How can a pupil set a file to be readable by self and sub-math-teacher?
  • How can it be configured so that a sub-prog-teacher can add users to her group?
  • How can a group leader create another group leader? (e.g. head-teacher, can add new teachers)

I will not be giving root permission to pupils or teachers. I am using Debian GNU/Linux, but would be interested most for more general solutions (for All GNUs and the other Unixes). Even solution for other systems that are not available on GNU, so long as they use the underlying mechanisms that are available on GNU/Linux.

ctrl-alt-delor
  • 27,993
  • 1
    On linux, setfacl(1) might give you more than enough rope, possibly combined with scripts or something to implement the hierarchy of rights and to avoid giving users too big of a footgun. – thrig Jun 28 '16 at 13:44
  • nice comment thrig, i wasn't aware of that, either. ...was about to say even on OSX you have at the Unix level just the standard super user, but in the GUI more advanced ACL. setfacl sounds interesting – olaf atchmi Jun 28 '16 at 13:48
  • What is the OS? Are there server-client front end guis as well? – olaf atchmi Jun 28 '16 at 13:51
  • 1
    @olafatchmi, have a look at this question http://unix.stackexchange.com/questions/101263/what-are-the-different-ways-to-set-file-permissions-etc-on-gnu-linux for more on setfacl, and other permission stuff. – ctrl-alt-delor Jun 28 '16 at 17:07

2 Answers2

1

If I get your question right you want to establish some kind of sub-administrator. Actually you're asking for different roles with different privileges. At Unix/Linux system level there is only the all-powerful superuser and ordinary users, nothing in between. Maybe some sudo-magic might do the trick. However, if you just want to share documents, then you're much better off with document management systems (or one of the more sophisticated wikis) which often allow for roles of the kind you asked for.

countermode
  • 7,533
  • 5
  • 31
  • 58
  • -1 for being so down on things (you are not quite right about nothing inbetween, there are capabilities for example). +1 for providing an alternative solution. Still I would like to see if there is a solution, including a software tool that uses some of these capabilities to synthesise what I want. It seem that quite regularly I want to give read permission to someone. – ctrl-alt-delor Jun 28 '16 at 12:51
  • Officially I don't mean to be "so down on things" but: Capabilities aren't even remotely useful for your purpose. To begin with, only the superuser can grant or revoke them. Moreover, they are not in between, for they can be only given all or nothing - there is no such thing as, say, CAP_DAC_OVERRIDE for a selection of files. – countermode Jun 28 '16 at 13:55
0

I realised the answer to use-case one this morning (as I woke up).

How can a pupil set a file to be readable by self and sub-math-teacher?

To do this the pupil can use file access control lists:

setfacl -m g:subMathTeacher:r file-to-share-with-teacher

The pupil does not need to belong to the group, to do this. There are problems with _ or - in group name (setfacl interprets them).

ctrl-alt-delor
  • 27,993