El sáb, 05-05-2007 a las 14:57 +0200, Petter Reinholdtsen escribió: > [José L. Redrejo Rodríguez] > > Ok, I agree on that, but in LinEx our biggest numbers are around 1000 > > workstation with 2000 users per network. They are still far away from > > your calulations, and are working fine since september. And, obviously, > > that's the worst case, most schools don't have more than 700 computers > > and 1000 users.. , so , do you have networks with such size (2000 > > machines & 50000 users)?, > > The university where I work have 60000 users and 14000 computers. :) ok, you're right, but don't misunderstand me. What I mean is that maybe the work of modifying the current Debian system is not worth, as it's only going to make sense in these big networks. And that kind of network probably will request custom-made configurations, so making a general new setup to be applied only in places that have to modify the setups... If I'm not wrong, DebianEdu is made specially for primary and secondary schools, and there we have not that problem. > > > That's something I don't understand. Let's say user1 & user2 are in > > the plugdev group, using different machines. If user1 insert a DVD > > or an USB disk, he has full access to the DVD or disk, but user2 > > only have read access to user1 hotplugged device. I don't see any > > problem with that behaviour ... > > I do. If I have private files on my USB stick, I do not want other > users to have read access to it. > > The current system do not scale, and fail to keep personal files > private, and for these reasons I believe we must switch to a system > that work. > > In addition, storing OS-specific group information in LDAP will make > the LDAP database hard or impossible to use across operating systems, > and that is also a problem for large installations. > > > But I don't see how user2 can access to remote device on workstation > > of user1 with the current setup, unless it's shared using the > > network. > > I believe he would just need to ssh into the machine, then send a dbus > event to umount and mount it, to get full access, would he not? hal > do not know which of the users in the plugdev group should be allowed > to mount the device, and will grant all of them access. > Wow, if one of our primary or secondary students is able to do that I would offer him a job a.s.a.p. Seriously, maybe the problem is that ssh should be enabled only to sysadmins. When we discussed our setups, very often we had to stop and rethink again. We are not in a Bank, we can not close everything to the users, and if I go with personal or confidential data to a school I should be careful with the permissions I put in my usb disk, same if I go with confidential papers in a case. I don't mean your arguments are wrong. You are right with that hole, but in such case you should think of many other things that might happen, as students using temporary security kernel fails, or apache bugs, or even ssh bugs. Maybe for an University you have to be much more careful, as if you had your computer freely plugged in Internet. But, for schools, knowing that's something we should improve, I think there are many more things to invest our time on, just taking a look to the bugzilla I see a lot of work to be done, and priorities should be set on those things. Anyway, if I am wrong and DebianEdu is also targeted to setup University networks, all what I've written can be deleted. But I think there is no way to prepare a general installation DVD to setup an University server, and that's something that should be done "by hand" by an expert sysadmin... Obviously, if the important work in DebianEdu is finished, I will the first one to try to collaborate and help to setup a new authentication method to mount external devices. Regards, José L.
Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente