The user rights system that is used by nearly every Linux distribution out there isn’t fine grained to say the least. In fact I’d say Windows has more fine-grained user right options than Linux currently does. There are three types of users: users that cannot become root, users that can become root, and root. So you can either do nothing, type in your password an extra time and do whatever you want, or do whatever you want whenever you want. Not ideal. The solution is a bit involved and roughly based on the MediaWiki access rights model, I think. Each user is given certain rights based on pre-set, or otherwise, user profiles that are, in turn, based on a number-based rights system and plus-, or minus-, codes. The number based rights system roughly defines user access on a scale of 0 to 5.
- Level 0 users have extremely limited access rights. They are limited to read-only access to their /home directory. This is reserved for extreme cases only and exists primarily to make removing a users access to their files impossible even if they can only read them.
- Level 1 users have Level 0 rights as well as write and delete rights in their /home directory and access to applications installed on the system. They can also access a shared directory and share their own files.
- Level 2 users have Level 0-1 rights as well as execute rights in their /home directory and access to the anacron and cron tab.
- Level 3 users have Level 0-2 rights as well as system-wide read rights, except in the /home director and trivial application installation and removal rights.
- Level 4 users have Level 0-3 rights as well as complete application installation and removal rights.
- Level 5 users have Level 0-4 rights and can modify system files via bots and add or remove users. Can to modify system files that aren’t crucial to the operation of the system directly.
Bots add an extra layer of protection to the system. Each system process, or group of processes, is executed by a user-type called a bot. Bots are system users. They have complete access to the files and directories they are associated with and Level 5 user can use bots to modify crucial system files. Bots are given access to their associated files and directories via plus- and minus- codes. Plus- and minus- codes grant a specific type of access in addition to user level rights. These codes can also have levels. They should have the following syntax:+[code name]-[#] -[code name]-[#]The level number, 0 to whatever, allow plus- and minus- codes to give fine-grained access control in addition to the general user level rights system. Some examples of plus- and minus- codes are as follows:+songbird +package_manage-3 -konquerer -shared_files-0 etc…