> I would like to set up a Linux based file server accessible for Linux, > Windows and Mac clients.
You failed to say what file sharing protocol. SMB/CIFS ('windows'
networking) would be fine with samba. Old Mac use netatalk (appletalk)
but Mac OS X can use samba, appletalk, even NFS.
> The administration shall be done remotely
> (web based GUI on a client machine) using Perl scripts. The Perl
> scripts must be able to:
>
> - add and remove directories on the server (that's not the problem)
> - add and remove users (username & password -> problem)
> - set access rights for the created directories (-> also a problem)
All of these are easy enough using sudo to run actions as root.
We were just talking about this last week or the week before on
this list, so check the archives.
> - To add users that shall be able to access the fileserver, do I have to
> create 'real' unix user accounts, or can I use something like the
> '.htaccess' users as used by Apache (users in .htaccess files can
> only access web directories via Apache, they don't have any other
> rights on the server). I would prefer such a solution to limit what
> people with a fileserver account can do on the server.
Depends on your protocol. If you use samba, you could add and
create accounts by modifying /etc/samba/smbpasswd, which has no
relation to actual Linux accounts. Appropriate file perms for
this could allow a non-root user to modify it. Netatalk requires
actual unix accounts, though you may be able to create a custom
PAM (pluggable authentication module) to let it work on fake
passwd and shadow files, rather than using the actual Linux accounts.
> - How can I tell my Linux box that only certain users shall have
> access to a certain directory? Can I do this using something
> similar to '.htaccess' / '.htpasswd' ? Or what services do I have
> to use?
Linux file permissions first, of course. However you can use the
configuration of your software to do lots of fun tricks. For example
with Samba you could restrict who could access a share, yet have all
files be written by a single user id so all authorized users
automatically have identitical access to the files. There are lots
of options, and you'll need to do sufficient research into your
software of choice to decide what you want to allow. Netatalk
uses the group= option to restrict a mount point to users in a
particular Linux group, for example.
> - Do the scripts need root privileges to do all this, or is this
> feasable running as Apache CGI script?
If you need root, then do it via sudo, restricting access to only
the commands you absolutely need.
There is no 5 second answer to doing this - you need to read a
lot of man pages before you can expect to do this securely.
--
Brian Hatch You can have
Systems and cheap, easy,
Security Engineer or secure.
www.buildinglinuxvpns.net Pick two.
Every message PGP signed
msg00555/pgp00000.pgp
Description: PGP signature
