On Fri, Aug 19, 2005 at 09:45:51AM +0200, Laurent wrote: > Hi, > > I'm trying to set up secure workstations for developpers. > > My current setup includes a file server where Home directories of users > are stored. > > Developpers have root access on their computers. > > Exporting the whole /home directory would put data security at risk > since creating an account with the 'right' uid on a workstation would > grant access to user files. > > My question is: How to allow any user to use any workstation > (Authentication through LDAP) without putting data security at risk, and > keeping files on the server.
You are addressing one of the biggest security problems in today's computing environments. You need to employ NFS4 or AFS or something like that. These network filesystems perform authentication (and optionally encryption) using kerberos. Setting them up (including the prerequisite kerberos environment) is however a little bit more involved than plain NFS3. However, as long as the users have root access, this does not help much since they still can assume some other user's identity to get access to their files, if the other user has previously authenticated himself on the same machine and gotten access to his files. So, you would need to make sure that every user has only root access on his own machine and that no other user is working there. Try to read and understand how kerberos and NFS4 work. This is too much to explain here. Dominik. -- PGP Public Key and contact information available at http://www.tphys.physik.uni-tuebingen.de/tplist/phonelist.py?uid=epple -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
