[school-discuss] authorization management

[Jake Maul <jakemaul@cox.net>]

Greetings,

I recently had a nightmare about a malicious high school student using 
the do_brk() kernel vulnerability to get root on one of our linux boxes 
and realized we really needed better protection against this kind of 
thing (local exploits).

One of the things on my list is per-user accounts, rather than a single 
'student' account (for accountability). At the moment we're using a 
single account for all student access. KDE logs into it automatically, 
so we don't even give out the password for it, and we use the KDE Kiosk 
framework to limit/eliminate GUI console access.

How do you manage per-user accounts, spread over multiple client PCs? 
NIS? LDAP? Manually copied /etc/{passwd,shadow,group} and NFS homedirs?

Now, as it happens, we run OSX servers most everywhere. Each school has 
one that maintains WebDAV lockers for each student (well, not yet, but 
theoretically). My understanding of the system is that the WebDAV server 
just talks to an LDAP (or it might be NetInfo (Apple's directory 
service)) server that does the authentication, in which case I could 
talk directly to that server and then somehow mount the locker either as 
the student's home directory, or as a directory inside a local home 
directory (eg: still using a generic local system account, with an 
additional per-user layer on top). One of my upcoming tasks is to get 
the lockers working on the linux boxes anyway, so if I could link the 
authentication to it I'd get 2 for 1. In any case, eventually I'll have 
to solve both problems somehow...

How do you guys do it?

Thanks in advance,
Jake