This page was originally written in German at http://linuxwiki.de/MehrBenutzerUmgebung. If you understand German, please help in translating it and with enhancing it for Debian.

For a while see user private groups and permissions wiki articles, adduser-related bug #240855 on default group memberships

Multi User Management

Introduction

A Practical Solution For Seamless Operation

The goal is to provide a good, balanced way to let users unobtrusively collaborate in workgroups, which is easy to administer without a lot of help-desk support, and safe without doubtful security policies. For example, forbidding to list the contents of home directories does not help much since most config files have known names. Also, it is much too easy to get a false sense of security for other files (file permissions are what counts in $HOME, and list and access rights allow for easier rights management by subdirectories).

Problems And Solutions?

Use of User Private Groups (UPG) and "umask 002"

Your thoughts here

Additional Group Memberships

Your thoughts here

/etc/skel Home Directory Templates

Your thoughts here

Quotas

Your thoughts here

Group Directories

Your thoughts here

Things To Remember

Your thoughts here

Solution For Isolated Users (ISP-Case)

Your thoughts here

User (Pre) Settings

Your thoughts here

UNIX Permissions

Making good use of Unix permissions

Access to Programs and Hardware vs. Data

Your thoughts here

SUID/SGID Programs

No direct access but indirect access through SUID/SGID Programs

sudo

Super-user/Switch-userdo is a nifty utility that allows you to organize different administrative tasks into groups or categories, then associate users with those groups. This way (with an ingenous enough config file), you can give one person, or group of people, the ability to edit your web server config file and restart it with root privileges without giving them the root password, and thus access to everything. It also logs actions done using sudo for accounting.

I prefer sudo over su for a couple of reasons, even though I'm my administrator. The caching of the password is nice, as is the prompt for my password instead of the root password since my root passwords are a bit bothersome to type. I can limit what I can do with sudo via its config file. It handles commands with options without quoting them (eg. su -c 'ls -al /' becomes sudo ls -al.

ACL - Access Control Lists

What benefits do ACLs have? When are they necessary?

Packet: acl (Debian), acl-utils (Other distr.?) ls shows acl with a + sign

Commands: getfacl for reading setfacl for setting

ACLs can not yet be set by the most graphical applications and are somertimes lost if copied with them.

BEWARE: ACLs must be backed up extra!