Koozali.org: home of the SME Server

Admin to view homes of other users?

Offline cr0n0s

  • 7
  • +0/-0
Admin to view homes of other users?
« on: May 24, 2008, 11:10:33 AM »
Hi all,
I am running sme server in a school environment and I find it very usefull. I only have one problem with it.
The teacher needs to have control of the users "home" directory from his account (in Windows).
i have tried the tutorial in this topic http://forums.contribs.org/index.php?topic=36895.0 but I couldn't get it to work. If someone can explain a little bit better, i would be gratefull.

I also tried to create a shortcut of the "home/e-smith/files/users" in the "home/e-smith/files/users/admin/home/". I can see the accounts but I cannot open any files. How can I change the file permissions?

Please note that I am a novice in linux and it would be best for me to have a detailed explanation, if possible.
Thank you in advance.
~cr0n0s

Offline m

  • ****
  • 276
  • +0/-0
  • Peet
Re: Admin to view homes of other users?
« Reply #1 on: May 24, 2008, 01:59:52 PM »
SME does not support that, but you can change it manually as on any linux system.

In short:
* create a group 'teachers' and assign all teachers to it
* In the home dirs of the students:
   change (recursively) the group to 'teachers'
   set (recursively) group write permission
   set (recursively) the s bit to all directories

The following is the code I have used for that purpose (use it with care)
Code: [Select]
chgrp teachers /home/e-smith/files/users/$USER
chmod g+r-w /home/e-smith/files/users/$USER
chgrp teachers -R /home/e-smith/files/users/$USER/home
chmod g+rw -R /home/e-smith/files/users/$USER/home
chmod g+x /home/e-smith/files/users/$USER
find /home/e-smith/files/users/$USER/home -type d -exec chmod g+s {} \;
Where $USER is to be set to the student account name.


Offline bloodshoteye

  • ****
  • 232
  • +0/-0
  • Grateful thanks to SME devs
Re: Admin to view homes of other users?
« Reply #2 on: May 25, 2008, 10:27:08 AM »
mweinber

I'm newish to Linux as well. I have exactly the same requirement as cr0n0s. Your solution could be automated, no?
But how, is my question - how can I provide your code with a file of $USER's one per line so that I can automate this for 600 plus users at our school?

Thanks,
SME Server is a fantastic product - thank you!

Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
Re: Admin to view homes of other users?
« Reply #3 on: May 25, 2008, 12:22:43 PM »
I'm newish to Linux as well. I have exactly the same requirement as cr0n0s. Your solution could be automated, no?
But how, is my question - how can I provide your code with a file of $USER's one per line so that I can automate this for 600 plus users at our school?

I wonder if it needs to be done like this, and can not be done using the server-manager user/group panels, but the automated version (including all configured users) of the code above should be something like this, however I did not test any of this I just coded the loop around it:
Code: [Select]
for USER in `ls /home/e-smith/files/users/`;\
do \
chgrp teachers /home/e-smith/files/users/$USER \
chmod g+r-w /home/e-smith/files/users/$USER \
chgrp teachers -R /home/e-smith/files/users/$USER/home \
chmod g+rw -R /home/e-smith/files/users/$USER/home \
chmod g+x /home/e-smith/files/users/$USER \
find /home/e-smith/files/users/$USER/home -type d -exec chmod g+s {};\
done
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline m

  • ****
  • 276
  • +0/-0
  • Peet
Re: Admin to view homes of other users?
« Reply #4 on: May 25, 2008, 01:58:53 PM »
Can be automated. You must put the commands in an action script and link that to the user-create and user-modify events. Furthermore you need a method to distinguish between student and normal user accounts as the commands should only be applied to the students accounts. You can either maintain a student list or give the student accounts specific names. I did the latter and gave students accounts the prefix 'a1'. Hence my action script looks like this:

Code: [Select]
#!/bin/bash
USER=$2
echo $USER | grep -qs "^a1"
if [ $? -eq "0" -a -d /home/e-smith/files/users/$USER ] ; then
 # code from my first post here
fi


To initially fix all existing students accounts I used a script like the following:
Code: [Select]
#!/bin/sh
AZUBIS=`/usr/bin/find /home/e-smith/files/users -maxdepth 1 -type d -exec basename {} \;  | /bin/grep ^a1`
for USER in $AZUBIS ; do
 echo $USER
 # code from my first post here
done


Offline steever

  • *
  • 185
  • +0/-0
    • Open-Sesame
Re: Admin to view homes of other users?
« Reply #5 on: May 26, 2008, 02:12:35 AM »
This is an important feature for all schools running SME.  On a vanilla linux system, you could place the students' home folders in a different location to the teachers, eg. /home/e-smith/files/students/ as opposed to /home/e-smith/files/users and give the teachers group read-only access to the students folder.   That would require a major rewrite of SME, however.

The script above would be useful if you could use groups like students and teachers instead of the prefix.  Maybe this can be automated?

Another useful feature would be the ability to start usernames with digits.  It's nice to be able to name your student accounts starting with the year of expected graduation, eg, Bill Smith from the Class of 2011 could be 11smithb - this would enable a nice sorted view of usernames and also great for schools with kids who have the same names.

I'll put this in a NFR  :-P
Saving the world ... one server at a time.

Offline stephen noble

  • *
  • 607
  • +1/-0
    • Dungog
Re: Admin to view homes of other users?
« Reply #6 on: May 26, 2008, 05:20:27 AM »
>I'll put this in a NFR

these is a bug open asking for admins to be able to view users homes

but not for usernames starting with digits
« Last Edit: May 26, 2008, 05:51:12 AM by snoble »

Offline bloodshoteye

  • ****
  • 232
  • +0/-0
  • Grateful thanks to SME devs
Re: Admin to view homes of other users?
« Reply #7 on: May 26, 2008, 08:43:06 AM »
Thanks for sharing your code snippets, mweinber and cactus.

seeing we have a production server with more than 650 user accounts, staff and pupils, all in /home/e-smith/files/users/ I was rather hoping to pass a file to a script. The file will contain pupil user names, one per line. I will have to manually produce the list by removing staff from a complete user list.

I'm not very good at this, but if I were to modify your code, mweinber, to the following:
Quote
for USER in `path_to_pupil_user_list_file`;\
do \
chgrp teachers /home/e-smith/files/users/$USER \
chmod g+r-w /home/e-smith/files/users/$USER \
chgrp teachers -R /home/e-smith/files/users/$USER/home \
chmod g+rw -R /home/e-smith/files/users/$USER/home \
chmod g+x /home/e-smith/files/users/$USER \
find /home/e-smith/files/users/$USER/home -type d -exec chmod g+s {};\
done
would it work? If so, then in the future just run the script against a mini user-list every time I add new users.

mweinber,
If I were setting up for the first time, then your suggestion to prefix user accounts is a really good idea.

steever,
your idea of groups like students and teachers is too generic. I need to go as far as g10it3 for the 3rd class of grade 10 IT pupils and g12cat1 for the 1st class of grade 12 cat pupils, etc. All grades have more than one group. These are then given access to certain ibays only.

Until you admin a school, it is very difficult to appreciate the granularity required in manipulating, on an ongoing basis, pupil user accounts in a large establishment.
« Last Edit: May 26, 2008, 08:45:53 AM by ardugh »
SME Server is a fantastic product - thank you!

Offline m

  • ****
  • 276
  • +0/-0
  • Peet
Re: Admin to view homes of other users?
« Reply #8 on: May 26, 2008, 09:07:58 AM »
ardugh, this script should work
Code: [Select]
#!/bin/bash
for USER in `cat path_to_pupil_user_list_file` ; do
 test ! -d /home/e-smith/files/users/$USER && continue
 chgrp teachers /home/e-smith/files/users/$USER
 chmod g+r-w /home/e-smith/files/users/$USER
 chgrp teachers -R /home/e-smith/files/users/$USER/home
 chmod g+rw -R /home/e-smith/files/users/$USER/home
 chmod g+x /home/e-smith/files/users/$USER
 find /home/e-smith/files/users/$USER/home -type d -exec chmod g+s {} \;
done

Offline bloodshoteye

  • ****
  • 232
  • +0/-0
  • Grateful thanks to SME devs
Re: Admin to view homes of other users?
« Reply #9 on: May 26, 2008, 09:43:02 AM »
mweinber, thanks for your prompt reply and being willing to share.

I'll give this a run against a test user, so my initial file will only have one user name.
Of course, I'll make sure our Affa server ran last nights back-up first, not that I don't trust the script, but better to be cautious than jobless, I always say!
SME Server is a fantastic product - thank you!

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Admin to view homes of other users?
« Reply #10 on: May 26, 2008, 10:14:45 AM »
cr0n0s & ardugh

Does this do what you want ?
http://wiki.contribs.org/User_homes_admin_access
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline bloodshoteye

  • ****
  • 232
  • +0/-0
  • Grateful thanks to SME devs
Re: Admin to view homes of other users?
« Reply #11 on: May 26, 2008, 12:55:14 PM »
mary

No, because it gives the "admin" full rights to all of /home/e-smith/files/users
Under the present sme base config that means *all* users, including staff (in a school context)
SME Server is a fantastic product - thank you!

Offline steever

  • *
  • 185
  • +0/-0
    • Open-Sesame
Re: Admin to view homes of other users?
« Reply #12 on: May 26, 2008, 02:53:44 PM »
Quote
steever,
your idea of groups like students and teachers is too generic. I need to go as far as g10it3 for the 3rd class of grade 10 IT pupils and g12cat1 for the 1st class of grade 12 cat pupils, etc. All grades have more than one group. These are then given access to certain ibays only.

Until you admin a school, it is very difficult to appreciate the granularity required in manipulating, on an ongoing basis, pupil user accounts in a large establishment.

Actually I am netadmin for a school with over 850 kids, running SME since the days when there was a hard limit on the number of user groups (32).  We use moodle instead of setting up scores of different groups and ibays, one for each possible class.  Moodle provides us with the ability to offer resources to different classes and a secure way to communicate with different classes.  It's a great and secure way to collect assignments too.  It simplifies the groups of SME as well, o you only need executives, teachers, students, and any other special groups you require.  If you are setting up groups and ibays for each class as a way of communication (through group email) and as a method of distributing or  :shock: collecting  :shock: files from your kids, you're working way too hard! 

What we're talking about on this thread is trying to find an easy or automated way for one group teachers to have read only access to the home folders of another group students so that, for example, any teacher can check any student's folder if required, something that's easy on Windows and other Linux distros. 

Sure, you can give a group of power users the ability to access all home folders, but this isn't really secure.  In a school you don't want teachers having access to all homes, just student homes.  Hence the thread.

Steve
Saving the world ... one server at a time.

Offline m

  • ****
  • 276
  • +0/-0
  • Peet
Re: Admin to view homes of other users?
« Reply #13 on: May 26, 2008, 06:51:51 PM »
No, because it gives the "admin" full rights to all of /home/e-smith/files/users
Under the present sme base config that means *all* users, including staff (in a school context)
Using the samba method is entirely possible, but then you should configure a disk share for each student.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Admin to view homes of other users?
« Reply #14 on: May 26, 2008, 07:38:33 PM »
ardugh

Using the samba method is entirely possible, but then you should configure a disk share for each student.

As outlined in this thread, although potentially unwieldy for a lot of students
http://forums.contribs.org/index.php?topic=39006.0

If you are serious about this requirement, the Moodle contrib approach seems a far better solution, rather than doing a lot of hacking to your sme server, with future possible uknown consequences (when upgrading or installing contribs or unexpected consequences of future changes to base code).
http://wiki.contribs.org/Moodle
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.