[K12OSN] Permissions for students and teachers

Les Mikesell les at futuresource.com
Tue Apr 8 23:20:25 UTC 2008 

Chuck Kollars wrote:
>> Any suggestions how to set up permissions for 
>> students and teachers? ...
> 
> Here's my experience when I set up a network file
> storage server for a whole school using Samba a couple
> years ago:

Samba is a special case if all access goes through it.

> Regular *nix permissions are kinda limiting. The only
> reasonable way to use "other" is if something should
> be world-readable, which isn't usually the case so
> mostly those permissions are irrelevant.

Don't forget that every path element has its own set of permissions. 
You can put files with 'other' permissions under directories permitting 
only certain groups, or 2 levels of directories that permit different 
groups so only the overlapping members get through.


> "user"
> obviously has to be the owner/creator of the file.
> That just leaves "group", and there can only be one of
> them.

But every user gets his own group by default in the RedHat scheme, and 
files permit group access.  So add whoever should have access to each 
user's files to his group and you are done.

 > A reasonable group is something like 'all
> adults'. Thus with ownership and permissions 
>  joestudent facultyandstaff -rwxrwx--- 
> you get a file that can be accessed both by the
> student and by all adults. 
> 
> But the limitation of just one owner and one group is
> hard to extend much further.

But given that an arbitrary set of people can be in each user's group, 
why do you need to extend it?


> [You might want to have
> several groups ('faculty that teach 2009', 'class of
> 2010' etc.). You might even want these groups to
> overlap somewhat (ex: Mr. Teacher belongs to both the
> 'faculty that teach 2009' and 'faculty that teach
> 2010' groups).] For most things finer than 'one
> student' and 'all faculty' you'll need Posix ACLs.
> They extend *nix file permissions to allow more than
> one "owner" and more than one "group". 

Or make appropriate groups.  If all teachers can access all students' 
files, that's pretty straightforward.  If only a student's own teachers 
should access his files you have a little more work.  You don't have a 
problem unless you want a student to be able to subdivide his files, 
giving only the relevant teacher access to each file.

> I found traditional *nix permissions too limiting even
> for a fairly simple student file storage system, in my
> case because I wanted to subdivide the teachers into
> several possibly overlapping groups (a desire for
> 'class' directories would also seem to be impossible
> with just traditional *nix permissions). 

What limit did you find for the number of possible groups? The usual 
problem on the unix side is that new files are created in the user's 
primary group and may not be accessible by the intended other group 
unless someone pays attention and either changes to the group or changes 
the group ownership of the file.

> I found Samba wouldn't interfere with this approach 
> ...but it wouldn't help a whole lot either.

With samba you have the option to limit access to members of a group and 
to force creation of new files with a certain user and/or group 
ownership so users don't have to pay attention.

> With Posix ACLs, I also set up "drop boxes" for
> submitting homework (can put files in, but can't read
> other files or delete any files),

Can't you get that with a group or other writable directory, with sticky 
bit set, owned by the teacher who is also a group member of the students 
  who will submit?

> "public squares" for
> several students to collaborate,

Group (perhaps a unique group) or other writable, sticky bit set like 
/tmp if you want to restrict deletions to owners.

> "materials" areas
> (writable only by the teacher, readable by everybody),

Obvious.

> and "help me" areas (writable by the student and the
> teacher, but nobody else).

All student home directories should be this way if the teachers are in 
the student's group.

> In summary, it seems to me your options are:
> 1) KIVSS (Keep It VERY Simple Stupid)
> 2) Posix ACLs  - always keeping in mind that you may
> have to be clever and/or override the default action
> of the system to get what you want
> 3) Windows ACLs (no experience here)

   4) make a lot of groups with exactly the members you want so you 
don't need acls for exceptions.

-- 
   Les Mikesell
    lesmikesell at gmail.com

More information about the K12OSN mailing list