Mental Exercise: Linux in business

Stuart Sears stuart at absolutelyplastered.com
Sat Aug 7 01:57:46 PDT 2004


On Saturday 07 August 2004 09:56, cedric wrote:
> On Saturday 07 August 2004 02:47, Dominic L Hilsbos wrote:
> > The company I work for deploys hundreds of PCs, many of which are
> > utilized by multiple (at different times) non-computer-literate
> > personnel.  No one should be surprise by the fact that these computers
> > have had serious security problems recently.  Unfortunately I'm not part
> > of my companies IT department, so this is just a mental exercise for me.
> >
> > Ok, so the challenges are this:
> >
> > Users.  How would a business go about setting up centralized login, with
> > centralized servers handling users /home/* folders?  What I would
> > specifically like is that when a user logs in using the graphical
> > environment the users /home directory would be created, and then the
> > remote directory would be mounted there.  When the user logs out their
> > /home directory would be unmounted, and destroyed.
pam_mkhomedir should be able to do this, but are you sure you want the 
directories *destroyed*, do that all files they have created in this session 
are lost, or do you just mean unmounted?
> Why should only the home dir of that one user be mounted? One user can't
> read/write in another users home dir. What's wrong by mounting the /home of
> all users?
why should you do this if it is not necessary? any extra mounted NFS directory 
leaves the possibility of a compromise, mount what you need and no more.
why? the NFS server does not keep track of remote UID and GID mappings, and 
will export an FS using numerical ownership only. if you have a local user 
with the same UID/GID as one of your remote users, 'he' will be able to enter 
that user's directory and will have full access to their files...
> However i would be interested to see the scripts to pull this off. I guess
> we can fiddle with the login shell in /etc/password, so first a script is
> run, and afterwards hte shell is started.
it's really easy on RH systems - the automounter takes care of this.
As It is a kernel feature it should be workable on LFS just as easily, so 
you'll simply have to compile it into yours, and then configure it.
it works like this:
you give the automounter control of a complete directory tree (e.g /home)
and then tell it which filesystems/directories to NFS mount into that 
directory on demand. This is defined in two files on your system:
/etc/auto.master : defines which directories the autmountter controls - e.g.
# --  /etc/auto.master excerpt -- #
/home	/etc/auto.home	--timeout=60
# dir		dir-specific config file	how long before unmounting an idle FS
#-- end --#
and then in /etc/auto.home ( or whatever you put in the auto.master file)...
# ----
stuart	-rw,soft,intr	server:/home/stuart

mntpoint RELATIVE to this directory, so stuart = /home/stuart , because this
file controls mount point under /home, then NFS mount options, then the
remote NFS path. for multiple directories there is a nice syntax trick:

*		-rw,soft,intr	server:/home/&

this says - mount whatever I ask for locally (*) from the remote server, 
if the directory exists there with the _same_ name (&)
ie, if I ask for /home/fred, this translates to
FRED	-rw,soft,intr	server1:/home/FRED

be aware that using the automounter to cover the entire /home directory will 
mask any existing user home directories in there, just as mounting a 
different FS over the top would do.
for this reason, I often use /home/remote or /home/nis or some such, so that I 
can have localusers too, if required.

why does it work?
well, when a user logs in the login procedure changes to their home directory, 
which is then mounted on demand by the automounter. There is a security 
issue, with the timeout setting, that once a user has logged out their 
directory will stay mounted locally for the length of the --timeout value 
specified in /etc/auto.master.

> btw, i use special package users to compile, how should i fiddle things so
> they get the lowest priority when logging in?
>
> > Centralized shared scheduling.  Certain members of the work force need
> > to be able to schedule meetings and such with each other.  Also it would
> > need to include the ability for each user to specify which other users
> > are able to edit their schedule.
mozilla calendar? works for me.
Or if you want a web-based product try webcal

HTH

Stuart
--
Stuart Sears RHCE, RHCX



More information about the lfs-chat mailing list