[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Notes on getting hotplug devices (USB sticks) to work in Debian Edu

[José L. Redrejo Rodríguez]
> And that kind of network probably will request custom-made
> configurations, so making a general new setup to be applied only in
> places that have to modify the setups...  If I'm not wrong,
> DebianEdu is made specially for primary and secondary schools, and
> there we have not that problem.

Yes, it is primarly designed for primary and secondary schools, but
not limited to single school setups.  One of the design goals have
been to make it easy to administrate schools from regional sysadmin
centers, which could control a hundred schools, perhaps with a common
ldap database.  Also, I believe it is important to not create an LDAP
database that can only be used by Debian Edu, and thus believe it is a
goal to keep out OS specific groups and users from the LDAP database.
If the regional center want to use the same LDAP server for RedHat,
SuSe or Solaris, there should be nothing in the Debian Edu design
making it hard or impossible.  These are part of the reasons why I
believe it is vital to not add all users to debian specific groups
like plugdev in the LDAP database.

> Wow, if one of our primary or secondary students is able to do that
> I would offer him a job a.s.a.p.

Sure, me too.  But he would most likely have shown the instructions to
others, who will use it to bypass the system security barriers.  And I
would not want to hire those, and the recipe would be available for
everyone to see.

> Seriously, maybe the problem is that ssh should be enabled only to
> sysadmins.

Yes, it would limit the problem a bit.  But it would still be a
problem if a user leave a background process behind to do the job
while he isn't logged in.

> When we discussed our setups, very often we had to stop and rethink
> again. We are not in a Bank, we can not close everything to the
> users, and if I go with personal or confidential data to a school I
> should be careful with the permissions I put in my usb disk, same if
> I go with confidential papers in a case.

Sure.  But as long as it is within our reach to solve it properly, we
should.  One pupil using skolelinux said one of the best features was
that she had a private home directory to store her files.  I believe
we should be careful to take away the trust the pupils put on the
privacy of the system.

> I don't mean your arguments are wrong. You are right with that hole,
> but in such case you should think of many other things that might
> happen, as students using temporary security kernel fails, or apache
> bugs, or even ssh bugs. Maybe for an University you have to be much
> more careful, as if you had your computer freely plugged in
> Internet. But, for schools, knowing that's something we should
> improve, I think there are many more things to invest our time on,
> just taking a look to the bugzilla I see a lot of work to be done,
> and priorities should be set on those things.

Remember that I've hopefully already fixed the issue.  I'm just
waiting for the new dbus package to get out of NEW to test if it work
(well, I can't test it myself, as I only qemu and hotplug devices are
not really present there. :).

> Anyway, if I am wrong and DebianEdu is also targeted to setup
> University networks, all what I've written can be deleted.  But I
> think there is no way to prepare a general installation DVD to setup
> an University server, and that's something that should be done "by
> hand" by an expert sysadmin...

For servers, I agree, but for desktop the need for manual setup need
to be limited to the very minimum.

> Obviously, if the important work in DebianEdu is finished, I will
> the first one to try to collaborate and help to setup a new
> authentication method to mount external devices.

Great.  Please test it as soon as the new dbus package make it to the
DVD. :)

You can already test part of it, by seeing if /var/run/console/ is
populated with files when a user log in.

Next task for me is to check that LTSP local devices also work.  I'm
not sure yet if the fuser group membership is required, nor how the
access control is done.

Petter Reinholdtsen

Reply to: