This document is the organisational background to implement a standardized scheme for users, directory-structure and access-rights.
The introduced scheme should fulfill the needs of a small company, as the user-names are not personalized but reflect the function of a single user.
If you are not interested in the organizational background you can skip directly to the documents with the instruction to implement the structure on a Linux-Server ('Linux-server - file-structure and users') or on a Linux-workstation ('Linux-workstation - file-structure and users').
File-structure
Create a new user (when file-structure already exists).
To establish a simple
maintenance of access-rights to to files, access-rights are not
directly attached to individual users
but to user-groups instead.
Users are
thereafter attached to one ore more group(s) and the user then
'inherits' the most powerfull access-rights of all groups she/he is
attached to.
|
Group-name |
Group-number |
Aim of the group |
|
office |
311 |
Common
office work, |
|
finance |
312 |
Access to
financial data (accounting, telebanking), |
|
admin |
310 |
Administration of the whole system, create and delete directories and files on the server. |
|
backup |
313 |
Authorization,
to read all backed-up data. |
Create an user-group
Prerequisites:
None.
Command:
Each group within the
Linux-operating-system is created with the following
command:groupadd -g 310 admin
where
the group-number (310) and the group-name (admin) has to be adapted
accordingly.
Additional hints:
This command can only be performed as 'root'.
Wenn die Gruppennummern
bereits vergeben wurden, dann sind freie zu wählen.
Eine
Übersicht der vergebenen Gruppennummern ist in der Datei
/etc/groups eingetragen
und kann mit einem Editor oder mit dem Programm linuxconf
angezeigt werden.
Users in the system will not be created with the name of the real user - but with a symbolic name which reflects the function of the user within the company.
|
user-name |
group-membership |
Considered tasks |
|
md1 |
office (311), finance (312), backup(313) |
Managing director with the access-rights to execute all applications except system-functions. |
|
md2 |
office (311), finance (312), backup(313) |
Managing director with the access-rights to execute all applications except system-functions. |
|
md3 |
office (311), finance (312), backup(313) |
Managing director with the access-rights to execute all applications except system-functions. |
|
md4 |
office (311), finance (312), backup(313) |
Managing director with the access-rights to execute all applications except system-functions. |
|
md5 |
office (311), finance (312), backup(313) |
Managing director with the access-rights to execute all applications except system-functions. |
|
accounting01 |
office (311), finance (312) |
Employee of the accounting-group with the access-rights to execute office-functions and additional accounting-functions (accounting, telebanking). |
|
accounting02 |
office (311), finance (312) |
Employee of the accounting-group with the access-rights to execute office-functions and additional accounting-functions (accounting, telebanking). |
|
office01 |
office (311) |
Employee of sales-support or internal administration with the access-rights to execute common office-functions. |
|
office02 |
office (311) |
Employee of sales-support or internal administration with the access-rights to execute common office-functions. |
|
office03 |
office (311) |
Employee of sales-support or internal administration with the access-rights to execute common office-functions. |
|
warehouse01 |
office (311) |
Employee of the warehouse with the access-rights to execute common office-functions. |
|
warehouse02 |
office (311) |
Employee of the warehouse with the access-rights to execute common office-functions. |
|
warehouse03 |
office (311) |
Employee of the warehouse with the access-rights to execute common office-functions. |
|
sales01 |
office (311) |
Employee of the sales-force with the access-rights to execute common office-functions. |
|
sales02 |
office (311) |
Employee of the sales-force with the access-rights to execute common office-functions. |
|
sales03 |
office (311) |
Employee of the sales-force with the access-rights to execute common office-functions. |
|
sales04 |
office (311) |
Employee of the sales-force with the access-rights to execute common office-functions. |
|
sales05 |
office (311) |
Employee of the sales-force with the access-rights to execute common office-functions. |
|
(not published administrator-name) |
admin (310), office (311), finance (312), backup (313) |
Access rights for read/write/delete to all data. |
Create an user
Prerequisites:
User-groups were created
Command:
A User within the
Linux-operating-system is created with the following command:useradd
-m -g 311 -G 312 -p "password" md1
The parameters have
the following values; the values have to be adopted to another
configuration if necessary.
-m: A
home-directory with standard-values
(in this case /home/md1)
and -access-rights will be created if it does not already exist.
-g
311: The
standard-group, from this group the created user inherits the
acces-rights.
-G 312:
Further group(s), from which the created user inherits
access-rights.
If the user should be attached to more than one
additional group, the syntax is: -G
312,310 .
-p
password: Password of
the created user; 'password' has to be replaced by the chosen
password.
md1: Name
of the created user.
Additional hints:
This command can only be performed as 'root'.
If a user was created correctly can be checked by logging out ('exit') as root and logging in with the just created user-name.
If the password was not accepted with the above command, then it must be defined
either via linuxconf - Users account – Normal – User accounts, then selecting the user and defining the password over the button Passwd
or via the command
passwd user
entered on the command-line.
user
has to be replaced by the user-name for which the password should be
changed.
Private and public directories of individual users:
Files stored in home-directories of individual users (like those created in the previous step), can only be read, changed or deleted by the user 'owning' the directory.
To make certain files accessible for all other users, a 'common' directory is created for each user. Access-rights for that directory are so, that files in this directory can be be read (only read) by all other users.
Creation of the directory for common accessible data
Prerequisites:
When Create an user was done, a /home-directory for the user was installed (with the -m parameter).
Commands:
Change to the
/home-directory
of the user:cd /home/md1
In
this example the directory /home/md1 is
for the 'Managing director 1' and has to be replaced by the
respective user.
Create the directory which
will later get the access-rights to be read from all users:mkdir
public
Additional
hints:
This command can only be performed as 'root'.
Directories, which will be
mounted as 'network-disk' at all workstations connected over the
TCP/IP-network, are created now in the directory /SMB_Disk.
|
Directory |
Aim |
SaMBa-Ressource-Name
|
|
backup_mirror |
Files, which where backed up to a tape during startup of the server. In case,
that the files where restored from a backup-tape, this directory
acts as a mirror of the contents of the backup-tape. |
backup_mirror |
|
data_backed_up |
Files, which can be read, changed and deleted by all users and are backed up regularly. |
dat_backup |
|
data_not_backed_up |
Files, which can be read, changed and deleted by all users and are not backed up. |
dat_no_backup |
|
finance |
Data and programs for financial administration (accounting and telebanking) which may only be read or executed with particular access-rights. |
finance |
|
progs_honest |
Programs which do not request to write into their installation directory after their installation. This allows write-protection of the program-files after installation and therefore a very tight protection against erratically deletion by users or corruption by computer-viruses. |
progs_honest |
|
progs_writing |
Programs
which write into their installation-directory after their
installation. |
progs_writing |
|
cd_01 |
Directory, which can held the copy of a CD-ROM (e.g. a product- or spare-parts-catalog). By attaching this directory to a network-file on a workstation, the contents of the CD-ROM is accessible to more than one user simultaneously. |
cd_01 |
|
cd_02 |
Directory, which can held the copy of a CD-ROM (e.g. a product- or spare-parts-catalog). By attaching this directory to a network-file on a workstation, the contents of the CD-ROM is accessible to more than one user simultaneously. |
cd_02 |
|
cd_03 |
Directory, which can held the copy of a CD-ROM (e.g. a product- or spare-parts-catalog). By attaching this directory to a network-file on a workstation, the contents of the CD-ROM is accessible to more than one user simultaneously. |
cd_03 |
|
cd_04 |
Directory, which can held the copy of a CD-ROM (e.g. a product- or spare-parts-catalog). By attaching this directory to a network-file on a workstation, the contents of the CD-ROM is accessible to more than one user simultaneously. |
cd_04 |
|
cd_05 |
Directory, which can held the copy of a CD-ROM (e.g. a product- or spare-parts-catalog). By attaching this directory to a network-file on a workstation, the contents of the CD-ROM is accessible to more than one user simultaneously. |
cd_05 |
|
cd_06 |
Directory, which can held the copy of a CD-ROM (e.g. a product- or spare-parts-catalog). By attaching this directory to a network-file on a workstation, the contents of the CD-ROM is accessible to more than one user simultaneously. |
cd_06 |
|
cd_07 |
Directory, which can held the copy of a CD-ROM (e.g. a product- or spare-parts-catalog). By attaching this directory to a network-file on a workstation, the contents of the CD-ROM is accessible to more than one user simultaneously. |
cd_07 |
|
cd_08 |
Directory, which can held the copy of a CD-ROM (e.g. a product- or spare-parts-catalog). By attaching this directory to a network-file on a workstation, the contents of the CD-ROM is accessible to more than one user simultaneously. |
cd_08 |
|
cd_09 |
Directory, which can held the copy of a CD-ROM (e.g. a product- or spare-parts-catalog). By attaching this directory to a network-file on a workstation, the contents of the CD-ROM is accessible to more than one user simultaneously. |
cd_09 |
|
cd_10 |
Directory, which can held the copy of a CD-ROM (e.g. a product- or spare-parts-catalog). By attaching this directory to a network-file on a workstation, the contents of the CD-ROM is accessible to more than one user simultaneously. |
cd_10 |
Create a directory
Prerequisites:
None.
Commands:
To use the directory name
/SMB_Disk is only recommended for the server; on a
workstation it is recommended to use /remote/server
instead.
# Change to the directory which is used to hold the
network-disks
cd /SMB_Disk
#
# create the directories
mkdir
backup_mirror
mkdir data_backed_up
mkdir
data_not_backed_up
mkdir finance
mkdir progs_honest
mkdir
progs_writing
Additional hints:
This command can only be performed as 'root'.
Defining access-rights will be documented later.
The private and public
directories of individual users will be linked as subdirectories in
the data-directories.
This brings the advantage, that the original
access-rights of the private and public directories will remain as
defined.
This step is only necessary for the server; not for a workstation !
'Link' of the private directories
Prerequisites:
directory /SMB_Disk/data_backed_up already created.
Commands:
# Change to the directory with the backed-up files#
cd
/SMB_Disk/data_backed_up
# Create the directory for
the private data
# and change to this directory
mkdir private
cd private
#
# Link the directories for the private data of
individual users
ln -s /home/md1 md1
ln -s /home/md2 md2
and so on .... (see table in the step 'User').
'Link' of the public directories
Prerequisites:
directory /SMB_Disk/data_backed_up already created.
Commands:
# change to the directory with the not backed-up files
cd
/SMB_Disk/data_not_backed_up
#
# create the subdirectory with
the public files
# and change to this directory
mkdir public
cd
public
#
# Link the directories for the public data of
individual users
ln -s /home/md1/public md1
ln -s
/home/md2/public md2
and so on .... (see table in the step 'User').
Additional hints:
This command can only be performed as 'root'.
Defining access-rights will be documented later.
The attachment of access-rights is according to the UNIX-scheme.
|
Directory (see Directories accessible for all users and Links to directories of individual users) |
Owner (see User) |
Group (see user-groups) |
Access-rights |
|
backup_mirror |
(not published administrator-name) |
backup (313) |
750 |
|
data_backed_up |
(not published administrator-name) |
office (311) |
770 |
|
data_not_backed_up |
(not published administrator-name) |
office (311) |
770 |
|
finance |
(not published administrator-name) |
finance (312) |
770 |
|
progs_honest |
(not published administrator-name) |
office (311) |
750 |
|
progs_writing |
(not published administrator-name) |
office (311) |
770 |
|
cd_01 |
(not published administrator-name) |
office (311) |
750 |
|
cd_01 |
(not published administrator-name) |
office (311) |
750 |
|
cd_01 |
(not published administrator-name) |
office (311) |
750 |
|
cd_01 |
(not published administrator-name) |
office (311) |
750 |
|
cd_01 |
(not published administrator-name) |
office (311) |
750 |
|
cd_01 |
(not published administrator-name) |
office (311) |
750 |
|
cd_01 |
(not published administrator-name) |
office (311) |
750 |
|
cd_01 |
(not published administrator-name) |
office (311) |
750 |
|
cd_01 |
(not published administrator-name) |
office (311) |
750 |
|
cd_01 |
(not published administrator-name) |
office (311) |
750 |
Change the owner of a directory
Prerequisites:
None.
Command:
# chown -R (not
published administrator-name)
/SMB_Disk/backup_mirrorrecursive; i.e. subdirectories get the new
access-rights too and
so on; for each directory
Change the group of a directory
Prerequisites:
None.
Command:
# recursive; i.e. subdirectories get the new
access-rights too
chgrp -R backup /SMB_Disk/backup_mirror
and so on;
for each directory
Wechseln der Berechtigung eines Verzeichnisses
Prerequisites:
None.
Command:
# recursive; i.e. subdirectories get the new
access-rights too
chmod -R 750 /SMB_Disk/backup_mirror
and
so on; for each directory
Define
access-rights for linked directories of individual users
Therefore the intended access-rights of these directories
must be restored.
Prerequisites:
Private and public directories of individual users are already created (see Privat and public directories of individual users) and linked (see Links to directories of individual users).
Befehl:
# Change the owner: chown
-R gf1 /home/gf1
# recursive; i.e.
subdirectories get the new access-rights too
and so
on; for each directory
# Change the user-group: and
so on; for each directory
# recursive; i.e.
subdirectories get the new access-rights too
chgrp -R
admin /home/md1
# Set access right for the private directory:
#
recursive; i.e. subdirectories get the new access-rights too
chmod -R 700 /home/md1
and
so on .... (see table in the step 'User').
# Set access right for the prublic directory :
# recursive; i.e. subdirectories get the new access-rights
too
chmod -R 755 /home/md1/public
and
so on .... (see table in the step 'User').
Additional hints:
These commands can only be performed as 'root'.
Prerequisites:
User-groups and directories accessible for all users were already created.
Steps to be performed:
Create an user; commands see User.
Create the directory for common accessible data of the new user; commands see Private and public directories of individual users.
Create links to private and common accessible data of the new user; commands see Links to directories of individual users.
Define access-rights for linked directories of individual users; see commands following this link.
Additional hints:
These commands can only be performed as 'root'.