Re: Perl administration for Linux fileserver

> I would like to set up a Linux based file server accessible for Linux,

You failed to say what file sharing protocol. SMB/CIFS ('windows' networking) would be fine with samba. Old Mac use netatalk (appletalk) but Mac OS X can use samba, appletalk, even NFS.

> The administration shall be done remotely
> (web based GUI on a client machine) using Perl scripts. The Perl
> scripts must be able to:
>
> - add and remove directories on the server (that's not the problem)
> - add and remove users (username & password -> problem)
> - set access rights for the created directories (-> also a problem)

All of these are easy enough using sudo to run actions as root. We were just talking about this last week or the week before on this list, so check the archives.

> - To add users that shall be able to access the fileserver, do I have to

Depends on your protocol. If you use samba, you could add and create accounts by modifying /etc/samba/smbpasswd, which has no relation to actual Linux accounts. Appropriate file perms for this could allow a non-root user to modify it. Netatalk requires actual unix accounts, though you may be able to create a custom PAM (pluggable authentication module) to let it work on fake passwd and shadow files, rather than using the actual Linux accounts.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> - How can I tell my Linux box that only certain users shall have

Linux file permissions first, of course. However you can use the configuration of your software to do lots of fun tricks. For example with Samba you could restrict who could access a share, yet have all files be written by a single user id so all authorized users automatically have identitical access to the files. There are lots of options, and you'll need to do sufficient research into your software of choice to decide what you want to allow. Netatalk uses the group= option to restrict a mount point to users in a particular Linux group, for example.

> - Do the scripts need root privileges to do all this, or is this

If you need root, then do it via sudo, restricting access to only the commands you absolutely need.

There is no 5 second answer to doing this - you need to read a lot of man pages before you can expect to do this securely.

--
Brian Hatch                  You can have
   Systems and                cheap, easy,
   Security Engineer          or secure.
www.buildinglinuxvpns.net     Pick two.

Every message PGP signed