Koozali.org: home of the SME Server

Legacy Forums => General Discussion (Legacy) => Topic started by: frogged1975 on February 13, 2004, 06:28:10 AM

Title: ibay without admin access rights?
Post by: frogged1975 on February 13, 2004, 06:28:10 AM

I've done a little reading but haven't answered this one yet.
Using 6.3B, I've made a group and an Ibay for certain users to access. I want to make the user 'admin' unable to access this folder (seems redundant I know, but that's what I need here atm). The ibay rights of 'write =group read=group' seem to still allow 'admin' to read the ibay, even tho 'admin' is not a member of that group. I have not got a tiered grouping system in place atm, so no prob there. the only odd thing I have is a symlink pointing to the ibay I'm trying to isolate.

any clues?

Title: ibay without admin access rights?
Post by: grand-pa on February 13, 2004, 04:29:11 PM

First, you should use the final version v6.0 instead of the beta 3. :hammer:

Second, 'admin' is the system administrator account and have all the rights on the entire operating system (like the 'root' account). So, how could it be excluded from reading a part of the filesystem ?

The only way to disable admin to see your i-bay is to restrict its rights, but in that case you will be unable to configure your SME anymore ! :-P

Title: Re: ibay without admin access rights?
Post by: Michiel on February 15, 2004, 01:42:01 PM

Quote from: "frogged1975"

I want to make the user 'admin' unable to access this folder (seems redundant I know, but that's what I need here atm).

There is a way around it, but make sure you understand what you are doing!

Use lat-groups from the lazy admin tools (http://mirror.contribs.org/smeserver/contribs/mblotwijk/Contribs/lazy-admin-tools/)) to create a group without 'admin':
lat-groups -a --no-admin -c "mygroup | Group without admin"

Now you can create an ibay for group "mygroup"  that is not accessible by admin.

BUT...
1/ Each time you add a new group to your system using the server-manager, user admin is added again to "mygroup"
2/ Each time you do a system upgrade, user admin is added again to "mygroup"
3/ The --no-admin switch will allow you to create more than 28 groups, something that is not possible on a standard SME box. If you create more than 28 groups and admin gets added again to all these groups (see 1 & 2), the server-manager will no longer be accessible and other anoying things might also happen.

A way around this would be to create a script that is launched at boot time and re-removes user admin from all relevant groups.

As you can see, this is an ugly and potentially dangerous solution. Unless you REALLY need to, don't do as I say :-)

Michiel