Pardon my ignorance but I can't seem to come up with a solution to this one.
I'd like to create a user that has read access to every user's home catalog located in /home.
Do I need acl's for this or can I achieve it by chmod?
Thanks in advance.
Pardon my ignorance but I can't seem to come up with a solution to this one.
I'd like to create a user that has read access to every user's home catalog located in /home.
Do I need acl's for this or can I achieve it by chmod?
Thanks in advance.
Do all of your users have a single group in common? For example, on some systems the staff
group is provided for use as the global group. If you create your users' home directories so they belong to this global group, just setting the read permission on them will allow all members of the group (i.e. everyone) to see other people's files. Note, though, that a user is perfectly at liberty to remove the read permission again, thus breaking this scheme, and on some systems, if staff
is not the user's primary group, any files they create under ~
will not belong to staff
and thus may not be readable.
If you want more control than this, though, to allow only one user to see all home directories, you will need to use ACLs. Depending on the number of users involved, this may quickly become an administrative nightmare. Our sysadmin team at work don't use ACLs anymore, simply because managing them took up way too much of their time.
EDIT
It occurs to me that, depending on what you want this user to be able to do, you might be able to achieve what you want with shell scripts and carefully crafted sudo
rules. No ACLs, no need to worry about permissions and ownership, but if you're not familiar with the format of the sudoers
file, you will need to read the man page thoroughly to ensure you don't open your system up to abuse.
I was halfway through D_Bye's answer when I realised I could do it another way that doesn't require playing around with mounting and /etc/fstab
:
I created an account with its home catalog set to /home and set Pure-FTPd to enclose every user to his home catalog (ChrootEveryone YES).
This means that this account may browse every catalog in /home but doesn't have write rights.
ACL would be problematic, as you'd need to ensure that they're set on every file.
Use bindfs to create a view of /home
with different access rights. Make a mount point that is only accessible to the overseer (the user who can read all files in /home
):
mkdir -p ~overseer/private/home
chmod 700 ~overseer/private
Create the read-only view as root (so that the bindfs
process can read all it needs):
bindfs -M overseer -p 000,ud=rx /home ~overseer/private/home