[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [school-discuss] authorization management



On Sunday 14 December 2003 20:36, Jake Maul wrote:
[...]
> I recently had a nightmare about a malicious high school student using
> the do_brk() kernel vulnerability to get root on one of our linux boxes
> and realized we really needed better protection against this kind of
> thing (local exploits).
>
> One of the things on my list is per-user accounts, rather than a single
> 'student' account (for accountability). At the moment we're using a
> single account for all student access. KDE logs into it automatically,
> so we don't even give out the password for it, and we use the KDE Kiosk
> framework to limit/eliminate GUI console access.
>
> How do you manage per-user accounts, spread over multiple client PCs?
> NIS? LDAP? Manually copied /etc/{passwd,shadow,group} and NFS homedirs?
>
> Now, as it happens, we run OSX servers most everywhere. Each school has
> one that maintains WebDAV lockers for each student (well, not yet, but
> theoretically). My understanding of the system is that the WebDAV server
> just talks to an LDAP (or it might be NetInfo (Apple's directory
> service)) server that does the authentication, in which case I could
> talk directly to that server and then somehow mount the locker either as
> the student's home directory, or as a directory inside a local home
> directory (eg: still using a generic local system account, with an
> additional per-user layer on top). One of my upcoming tasks is to get
> the lockers working on the linux boxes anyway, so if I could link the
> authentication to it I'd get 2 for 1. In any case, eventually I'll have
> to solve both problems somehow...
>
> How do you guys do it?
LDAP would be a way to do this.
Skolelinux uses LDAP for user authentification. You should have a closer look 
to Skolelinux: http://wwwskolelinux.no, http://www.skolelinux.de
It comes with several installation profiles for skole-server, terminal-server, 
workstation, thin-client and laptop. And it's designed to be installed and 
administrated by teachers. Who usually are not known to be IT-experts. :o)

Bye,
Thomas