[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[school-discuss] authorization management


I recently had a nightmare about a malicious high school student using the do_brk() kernel vulnerability to get root on one of our linux boxes and realized we really needed better protection against this kind of thing (local exploits).

One of the things on my list is per-user accounts, rather than a single 'student' account (for accountability). At the moment we're using a single account for all student access. KDE logs into it automatically, so we don't even give out the password for it, and we use the KDE Kiosk framework to limit/eliminate GUI console access.

How do you manage per-user accounts, spread over multiple client PCs? NIS? LDAP? Manually copied /etc/{passwd,shadow,group} and NFS homedirs?

Now, as it happens, we run OSX servers most everywhere. Each school has one that maintains WebDAV lockers for each student (well, not yet, but theoretically). My understanding of the system is that the WebDAV server just talks to an LDAP (or it might be NetInfo (Apple's directory service)) server that does the authentication, in which case I could talk directly to that server and then somehow mount the locker either as the student's home directory, or as a directory inside a local home directory (eg: still using a generic local system account, with an additional per-user layer on top). One of my upcoming tasks is to get the lockers working on the linux boxes anyway, so if I could link the authentication to it I'd get 2 for 1. In any case, eventually I'll have to solve both problems somehow...

How do you guys do it?

Thanks in advance,