> I would like to set up a Linux based file server accessible for Linux, > Windows and Mac clients.
You failed to say what file sharing protocol. SMB/CIFS ('windows' networking) would be fine with samba. Old Mac use netatalk (appletalk) but Mac OS X can use samba, appletalk, even NFS. > The administration shall be done remotely > (web based GUI on a client machine) using Perl scripts. The Perl > scripts must be able to: > > - add and remove directories on the server (that's not the problem) > - add and remove users (username & password -> problem) > - set access rights for the created directories (-> also a problem) All of these are easy enough using sudo to run actions as root. We were just talking about this last week or the week before on this list, so check the archives. > - To add users that shall be able to access the fileserver, do I have to > create 'real' unix user accounts, or can I use something like the > '.htaccess' users as used by Apache (users in .htaccess files can > only access web directories via Apache, they don't have any other > rights on the server). I would prefer such a solution to limit what > people with a fileserver account can do on the server. Depends on your protocol. If you use samba, you could add and create accounts by modifying /etc/samba/smbpasswd, which has no relation to actual Linux accounts. Appropriate file perms for this could allow a non-root user to modify it. Netatalk requires actual unix accounts, though you may be able to create a custom PAM (pluggable authentication module) to let it work on fake passwd and shadow files, rather than using the actual Linux accounts. > - How can I tell my Linux box that only certain users shall have > access to a certain directory? Can I do this using something > similar to '.htaccess' / '.htpasswd' ? Or what services do I have > to use? Linux file permissions first, of course. However you can use the configuration of your software to do lots of fun tricks. For example with Samba you could restrict who could access a share, yet have all files be written by a single user id so all authorized users automatically have identitical access to the files. There are lots of options, and you'll need to do sufficient research into your software of choice to decide what you want to allow. Netatalk uses the group= option to restrict a mount point to users in a particular Linux group, for example. > - Do the scripts need root privileges to do all this, or is this > feasable running as Apache CGI script? If you need root, then do it via sudo, restricting access to only the commands you absolutely need. There is no 5 second answer to doing this - you need to read a lot of man pages before you can expect to do this securely. -- Brian Hatch You can have Systems and cheap, easy, Security Engineer or secure. www.buildinglinuxvpns.net Pick two. Every message PGP signed
msg00555/pgp00000.pgp
Description: PGP signature