account permissions.

[Geoff Shang]

On Sat, 21 Apr 2001, Jack wrote:

> i was curious if anyone knows how to apply permissions such as specific
> directory access, access to specific programs or utilities, and time limits
> on specific users or accounts.
> also i was wondering if it was possible to make groups with those
> particular permissions set, so all i need do is asign the user or users to
> that group.

OK the file stuff has been answered already.  A few other notes.

You can limit people's access to programs by exempting some executable
directories from their path variable.  Note that this will not physically
stop them from running anything if they know where it is or if they
manually change their path but it will stop people from being able to run
them easily by default.

I'm not sure about time limits but I know a few people on here know about
such things.

You can hopefully deduce from the prior discussions on file permissions how
you can use groups to control group access to files and devices.  The
groups are stored in /etc/group and the format is:

<groupname>:x:<groupnum>:<member1>[,<member2>,<member3>]

for example:

audio:x:29:geoff,amanda

This definition means that anyone in the audio group can access files or
devices with the permissions specified for the group audio, regardless of
the owner.  For example, my /dev/dsp has rw-rw---- which means that root
can read and write (i.e. listen/record and play), and so can anyone in the
audio group.  If I wanted only root to be able to record but still allow
the audio group to play back audio, I could change the permissions to
rw-r-----

Note that your system probably has many groups defined by default, with
file permissions set sensibly for these groups.  Thus, it's a good idea to
examine /etc/group, see what groups are already there, find out what files
are accessable by which groups, then add users to groups as appropriate.

Geoff.