pam_group (Was: ubuntu-xxx ....)
Timo Aaltonen
tjaalton at cc.hut.fi
Thu Mar 31 14:16:05 CST 2005
>> - We authenticate our users via an LDAP & Kerberos Server. Every student
>> is in the LDAP directory. We also have groups in the LDAP but they are
>> mostly used for permissions on the home directory (which is an NFS share).
>> Now the questions is how can we make sure that students can mount cdroms
>> and play sound without being in the required groups? It wouldn't be very
>> comfortable to us to add each student to each of those groups. Again, I am
>> looking for a solution that doesn't break Ubuntu or change the next time I
>> do an update of it.
>
> Why is it a problem to add these users to the necessary groups? That is the
> simplest and most robust solution.
Not if you have >20000 users. Besides, isn't it a security problem to have all
users in all those groups that are desktop-specific? At least when
ssh-connections are accepted...
More "elegant" solution is to tell gdm to use pam_group (as I already told
Adrian in a private mail):
-add this line in /etc/pam.d/gdm:
auth optional pam_group.so
-modify /etc/security/group.conf, for hoary-installation it could be something
like this (looking at my laptop and the groups I'm on):
gdm;*;*;Al0000-2400;floppy,audio,cdrom,video,plugdev,scanner
now, only the local user has access to the devices etc. Neat and tidy, huh? ;)
t
More information about the ubuntu-devel
mailing list