pam_group (Was: ubuntu-xxx ....)

[Timo Aaltonen]

>> - We authenticate our users via an LDAP & Kerberos Server. Every student
>> is in the LDAP directory. We also have groups in the LDAP but they are
>> mostly used for permissions on the home directory (which is an NFS share).
>> Now the questions is how can we make sure that students can mount cdroms
>> and play sound without being in the required groups? It wouldn't be very
>> comfortable to us to add each student to each of those groups. Again, I am
>> looking for a solution that doesn't break Ubuntu or change the next time I
>> do an update of it.
> 
> Why is it a problem to add these users to the necessary groups?  That is the
> simplest and most robust solution.

Not if you have >20000 users. Besides, isn't it a security problem to have all 
users in all those groups that are desktop-specific? At least when 
ssh-connections are accepted...

More "elegant" solution is to tell gdm to use pam_group (as I already told 
Adrian in a private mail):

-add this line in /etc/pam.d/gdm:

auth    optional        pam_group.so

-modify /etc/security/group.conf, for hoary-installation it could be something 
like this (looking at my laptop and the groups I'm on):

gdm;*;*;Al0000-2400;floppy,audio,cdrom,video,plugdev,scanner

now, only the local user has access to the devices etc. Neat and tidy, huh? ;)


t