[K12OSN] Linux client file shareing protocols

Jamie McParland mcparlandj at newberg.k12.or.us
Wed Aug 11 22:39:00 UTC 2004 

On Aug 11, 2004, at 3:24 PM, Jeff Kinz wrote:

> On Wed, Aug 11, 2004 at 02:52:42PM -0700, Jamie wrote:
>> We're setting up some Fedora core 2 stand alone clients for teachers 
>> to
>> use on their desktops. They all have home directories on one of our
>> file servers. I really hate to share these via NFS with the security
>> concerns of NFS (exporting the /data/staff/ directory to our entire
>> subnet where we could get a malicious user switching UIDs to delete
>> other peoples files etc).
>
> I'm not sure I get the problem.
> The teachers directories should be mounted only to the machines they
> login on, no matter what/where it is.
>

I have 500 staff members, and we use DHCP so this is not an option. 
This would mean setting all their computers up with static addresses 
and then making an export of each home folder in /etc/exports correct?

> If your accounts are properly secured, no one should be switching user
> IDs at anytime except root.

I'm under the impression that if you export a directory say /data/staff 
to an entire subnet using the root squash option only the non root 
users will have access to their files based on their UID and GID 
numbers.

Say a kid comes to school with a nix laptop. Mounts the export. Creates 
a user on his machine with the same UID as his teachers. Bam he has 
read write access to her files on the export. I could be wrong but this 
is my understanding and my concern.

> In a networked environment you should make
> sure the "Stand-alone clients" ?  (These have hard drives ? ) are
> administered via NIS.

Were doing ldap. By stand alone i meant these were not k12ltsp boxes. 
Just a regular computer with fedora on it. The authentication will be 
handled via ldap and hopefully the users home directories will be on 
the server.

> Using NIS/YP and NFS you shouldn't have any problems of the nature yo
> describe.   Securely NFS auto-mounting a directory full of home 
> directories
> has been done at least since the late 80's.
>

Yea it's the UID GID scenario i mentioned about that worries me.

- Jamie


>>
>> So i am wondering how you guys do it? Is this a legitimate security
>> concern? Could i somehow auto-mount the users volumes via smb? I would
>> like to not have the users home folder local, but rather located on 
>> the
>> server.
>>
>
> -- 
> Linux/Open Source.  Now all your base belongs to you, for free.
> ============================================================
> Idealism:  "Realism applied over a longer time period"
>
> Jeff Kinz, Emergent Research, Hudson, MA.
>
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>
>
Jamie McParland
Newberg Public Schools

More information about the K12OSN mailing list