User home folder permissions catch-22, help!
Hi everyone.
My objective is to configure a Solaris 10 box as follows: There will be many simultaneous users connecting to it, and each of those users would automatically get a home folder.
For example, when I add user "Bob", the home folder would be /export/home/Bob
And for Mary, it's /export/home/Mary
Each user is member of group "users".
Now the objective is that each user should have full control over his or her own home folder, but must NOT be able to do anything (or even visit) other people's home folders. Furthermore, the requirement is that users should NOT be able to change the permissions on their own home folder to allow this to happen. In other words, Bob must NOT be able to allow Mary access to his home folder, even if he wants to.
(Please don't ask me why he would want to do so or why users shouldn't be able to do so -- it'll suffice to say I'm setting up a school system and the users are students).
I have a boolean choice here: Either I make the user the owner (via chown) of their home folder, or I don't.
If I do make them owner (e.g. user Bob owns folder /export/home/Bob), then, sure, I can change the folder permission on /export/home/Bob to 700, and only Bob is able to do anything in it. But nothing stops Bob from running "chown 777 Bob" from the /export/home folder, and voila, other people can go there again"
If I do NOT make users owners of their folder (e.g. someone other than Bob, say Admin, owns all user folders, including /export/home/Bob), then I have no way to EXCLUSIVELY allow Bob permission to work in his folder. Unlike Windows (where you can give permission to a specific user), in Unix permissions only range by owner-group-everyone. Since Bob is not the owner, permitting either nobody or just the owner access to /export/home/Bob will not allow Bob to work in his own folder. If I do the permission by group (say the "users" group that Bob is part of), then all other people in group "users" (like Mary) will be able to open that folder. And allowing everyone access doesn't work for obvious reasons.
So it seems that whatever my choice, I cannot simulatenously allow exclusive access to a particular user WITHOUT letting that user to change the fact the access is actually exclusive.
In my search for solutions, I came up with the absolutely bizzare, poor practice, and overcomplicated option (Rube Goldberg would be proud) that right now nevertheless seems to me as the only one to accomplish my goals. The option requires the following algorithm:
1. Whenever you create a user, a group is created just for that user (for Bob it's BobGroup, for Mary it's MaryGroup... And so on. 100 users = 100 groups).
3. User is made member of that group, while retaining his membership in the "users" group as well.
2. A clone user (or as I call him, a Guardian User) is created. For Bob, it's BobGuardian, for Mary, it's MaryGuardian. 100 users = 100 extra guardian users). That guardian user is member of the 2-man group (BobGuardian will be member of BobGroup), but NOT of the "users" group.
3. The real user's folder ownership is moved to the guardian user, and the ownership group is the 2-man group. E.g. /export/home/Bob's owner is BobGuardian, not Bob, and the ownership group is set to BobGroup for that folder (chown BobGuardian:BobGroup /export/home/Bob)
4. The user's home folder's permissions are set to 770.
5. The Guardian user is password protected by the sysadmin and the real user never gets control over it.
As a result, Bob (being a member of the BobGroup), has full permissions to the inside of his home folder (can create stuff in it, read and execute) by virtue of being in the group which is the owner group of /export/home/Bob, but has no OWNERSHIP of the folder, and therefore cannot change the folder permissions to allow other users access to that folder.
I know the system is an absolute mess and something you'd see as an example of a "Why I quit my job" topic. But as I said previously, I don't see any other way. I'd be very happy to know if I'm wrong and there is actually a way that would NOT cause permanent brain damage to those who know how it works. Please let me know!
