[SlugBug] NIS / Group ID / Hardware Access issue
Mark Broadbent
markb at wetlettuce.com
Thu Apr 19 20:15:24 BST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
James Wallbank wrote:
> Hello All,
>
> Here at Access Space we run an NIS server to distribute usernames and
> passwords across our network clients.
>
> The network clients are predominantly Mandriva 2006, but we're looking
> to migrate to a newer distro, possibly Ubuntu 6.06 LTS, perhaps Mandriva
> 2007, maybe even a Debian-based distro like Xandros Open Circulation 4.
>
> Anyway, the upshot is that we have a problem with hardware devices -
> these newer distros allow hardware auto-mounting and unmounting via
> groups "floppy", "cdrom", "usb" and so on, which have GIDs around 20-25.
>
> The different distros don't necessarily synchronise the same GID numbers
> - on some cdrom may be GID 24, on others that same group may be GID 25.
>
> Now users with distributed UIDs aren't members of these groups, and
> typically NIS discourages you from distributing GIDs less than 100 -
> prewsumably to accommodate different client distros.
>
> I can see several approaches to solving this issue, but I'm not sure
> where to start...
>
> 1) Could we doctor the clients' /etc/passwd and /etc/group in such a way
> as to automatically make any UID greater than 5000 (all our distributed
> UIDs start at 5000) part of local hardware groups?
>
> 2) Could we achieve this same end more elegantly by engineering
> /etc/sudoers?
>
> 3) Should we delete local hardware groups from clients, and distribute
> those same group names by NIS (with higher GID's, and all NIS users
> members oif those groups). I can see that this might work, but it could
> make clients inconvenient to use with a local username.
>
> 4) Would /etc/fstab help us to allow all users to mount and unmount
> hardware devices? Or was this the "old way" to achieve this, before
> hardware abstraction layers?
>
> 5) Is there a HAL configuration that could be our answer?
>
> I can see that this is a "standard issue" for newer *nix networks - but
> many big distros nowadays start with the assumption that their
> user-friendly distro is going to be used as a standalone network client.
>
> Any thoughts on the first place to try? Maybe there's another approach I
> haven't considered.
There is a PAM module can dynamically add users to groups on login.
Take a look at /etc/security/group.conf (location on a Debian machine).
Thanks
Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGJ7/LoPjdlyGbuPsRAqMBAKC4FOYWmpE/SJNp3qsldjY643GHHwCZAebT
7fXuaE5m7IFPb1rLbp9rM9k=
=0d1v
-----END PGP SIGNATURE-----
More information about the SlugBug
mailing list