Best privileges strategy for an academic group?
by dryheat from LinuxQuestions.org on (#5JKF0)
I am a researcher and have a leased virtual Ubuntu server (from a university unit), and I have sudo admin privileges/responsibilities. Access is authenticated through a quite secure (seems, to me; we'll see) single-sign-on, two-factor authentication system.
I have an IT team using this server, consisting of a shifting (by semester) group of university students. We can assume that when students graduate, their login privileges will be revoked by the central system after some short time.
We have some Python applications that anyone who is on the team at a given time might need to use, which run inside Python venv's. It seems stupid for every user to install their own venv and copy of the software.
So the question is: What would is best/lowest-effort strategy for making apps on this server available to anyone on the team? I'm thinking it might be to create a /home/application/xxx for every app xxx, and giving world rwx permission on it. This would count on the higher-level security measures to keep unwanted people out.
Is that a horrible idea? If so what would be a better options?
[FWIW I considered whether to post this to the security forum, but their posts didn't seem to be in this vein.]
I have an IT team using this server, consisting of a shifting (by semester) group of university students. We can assume that when students graduate, their login privileges will be revoked by the central system after some short time.
We have some Python applications that anyone who is on the team at a given time might need to use, which run inside Python venv's. It seems stupid for every user to install their own venv and copy of the software.
So the question is: What would is best/lowest-effort strategy for making apps on this server available to anyone on the team? I'm thinking it might be to create a /home/application/xxx for every app xxx, and giving world rwx permission on it. This would count on the higher-level security measures to keep unwanted people out.
Is that a horrible idea? If so what would be a better options?
[FWIW I considered whether to post this to the security forum, but their posts didn't seem to be in this vein.]