This page was originally written in German at http://linuxwiki.de/MehrBenutzerUmgebung. If you understand German, please help in translating it and with enhancing it for Debian.

For example see this adduser item: on default group memberships


Multi User Management

Introduction

A Practical Solution For Seamless Operation

The goal is to provide a good, balanced way to let users unobtrusively collaborate in workgroups, which is easy to administer without a lot of help-desk support, and safe without doubtful security policies. For example, forbidding to list the contents of home directories does not help much since most config files have known names. Also, it is much too easy to get a false sense of security for other files (file permissions are what counts in $HOME, and list and access rights allow for easier rights management by subdirectories).

Problems And Solutions?

Use of User Private Groups (UPG) and "umask 002"

Your thoughts here


Additional Group Memberships

Your thoughts here


/etc/skel Home Directory Templates

Your thoughts here


Quotas

Your thoughts here


Group Directories

Your thoughts here


Things To Remember

Your thoughts here


Solution For Isolated Users (ISP-Case)

Your thoughts here


User (Pre) Settings

Your thoughts here


UNIX Permissions

Making good use of Unix permissions


Access to Programs and Hardware vs. Data

Your thoughts here


SUID/SGID Programs

No direct access but indirect access through SUID/SGID Programs


sudo

Super-user/Switch-userdo is a nifty utility that allows you to organize different administrative tasks into groups or categories, then associate users with those groups. This way (with an ingenous enough config file), you can give one person, or group of people, the ability to edit your web server config file and restart it with root privileges without giving them the root password, and thus access to everything. It also logs actions done using sudo for accounting.

I prefer sudo over su for a couple of reasons, even though I'm my administrator. The caching of the password is nice, as is the prompt for my password instead of the root password since my root passwords are a bit bothersome to type. I can limit what I can do with sudo via its config file. It handles commands with options without quoting them (eg. su -c 'ls -al /' becomes sudo ls -al.

ACL - Access Control Lists

What benefits do !?ACLs have? When are they necessary?

Packet: acl (Debian), acl-utils (Other distr.?) ls shows acl with a + sign

Commands: getfacl for reading setfacl for setting

ACLs can not yet be set by the most graphical applications and are somertimes lost if copied with them.

BEWARE: ACLs must be backed up extra!