El sáb, 05-05-2007 a las 16:01 +0200, Petter Reinholdtsen escribió: > [José L. Redrejo Rodríguez] > > And that kind of network probably will request custom-made > > configurations, so making a general new setup to be applied only in > > places that have to modify the setups... If I'm not wrong, > > DebianEdu is made specially for primary and secondary schools, and > > there we have not that problem. > > Yes, it is primarly designed for primary and secondary schools, but > not limited to single school setups. One of the design goals have > been to make it easy to administrate schools from regional sysadmin > centers, which could control a hundred schools, perhaps with a common > ldap database. Also, I believe it is important to not create an LDAP > database that can only be used by Debian Edu, and thus believe it is a > goal to keep out OS specific groups and users from the LDAP database. > If the regional center want to use the same LDAP server for RedHat, > SuSe or Solaris, there should be nothing in the Debian Edu design > making it hard or impossible. These are part of the reasons why I > believe it is vital to not add all users to debian specific groups > like plugdev in the LDAP database. > > > Wow, if one of our primary or secondary students is able to do that > > I would offer him a job a.s.a.p. > > Sure, me too. But he would most likely have shown the instructions to > others, who will use it to bypass the system security barriers. And I > would not want to hire those, and the recipe would be available for > everyone to see. > > > Seriously, maybe the problem is that ssh should be enabled only to > > sysadmins. > > Yes, it would limit the problem a bit. But it would still be a > problem if a user leave a background process behind to do the job > while he isn't logged in. > > > When we discussed our setups, very often we had to stop and rethink > > again. We are not in a Bank, we can not close everything to the > > users, and if I go with personal or confidential data to a school I > > should be careful with the permissions I put in my usb disk, same if > > I go with confidential papers in a case. > > Sure. But as long as it is within our reach to solve it properly, we > should. One pupil using skolelinux said one of the best features was > that she had a private home directory to store her files. I believe > we should be careful to take away the trust the pupils put on the > privacy of the system. > > > I don't mean your arguments are wrong. You are right with that hole, > > but in such case you should think of many other things that might > > happen, as students using temporary security kernel fails, or apache > > bugs, or even ssh bugs. Maybe for an University you have to be much > > more careful, as if you had your computer freely plugged in > > Internet. But, for schools, knowing that's something we should > > improve, I think there are many more things to invest our time on, > > just taking a look to the bugzilla I see a lot of work to be done, > > and priorities should be set on those things. > > Remember that I've hopefully already fixed the issue. I'm just > waiting for the new dbus package to get out of NEW to test if it work > (well, I can't test it myself, as I only qemu and hotplug devices are > not really present there. :). > > > Anyway, if I am wrong and DebianEdu is also targeted to setup > > University networks, all what I've written can be deleted. But I > > think there is no way to prepare a general installation DVD to setup > > an University server, and that's something that should be done "by > > hand" by an expert sysadmin... > > For servers, I agree, but for desktop the need for manual setup need > to be limited to the very minimum. > > > Obviously, if the important work in DebianEdu is finished, I will > > the first one to try to collaborate and help to setup a new > > authentication method to mount external devices. > > Great. Please test it as soon as the new dbus package make it to the > DVD. :) > Ok, you win ;-), I'll do it when it's available. Best regards. José L. > You can already test part of it, by seeing if /var/run/console/ is > populated with files when a user log in. > > Next task for me is to check that LTSP local devices also work. I'm > not sure yet if the fuser group membership is required, nor how the > access control is done. > > Friendly, > -- > Petter Reinholdtsen > >
Attachment:
signature.asc
Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente