[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Notes on getting hotplug devices (USB sticks) to work in Debian Edu

El sáb, 05-05-2007 a las 16:01 +0200, Petter Reinholdtsen escribió:
> [José L. Redrejo Rodríguez]
> > And that kind of network probably will request custom-made
> > configurations, so making a general new setup to be applied only in
> > places that have to modify the setups...  If I'm not wrong,
> > DebianEdu is made specially for primary and secondary schools, and
> > there we have not that problem.
> Yes, it is primarly designed for primary and secondary schools, but
> not limited to single school setups.  One of the design goals have
> been to make it easy to administrate schools from regional sysadmin
> centers, which could control a hundred schools, perhaps with a common
> ldap database.  Also, I believe it is important to not create an LDAP
> database that can only be used by Debian Edu, and thus believe it is a
> goal to keep out OS specific groups and users from the LDAP database.
> If the regional center want to use the same LDAP server for RedHat,
> SuSe or Solaris, there should be nothing in the Debian Edu design
> making it hard or impossible.  These are part of the reasons why I
> believe it is vital to not add all users to debian specific groups
> like plugdev in the LDAP database.
> > Wow, if one of our primary or secondary students is able to do that
> > I would offer him a job a.s.a.p.
> Sure, me too.  But he would most likely have shown the instructions to
> others, who will use it to bypass the system security barriers.  And I
> would not want to hire those, and the recipe would be available for
> everyone to see.
> > Seriously, maybe the problem is that ssh should be enabled only to
> > sysadmins.
> Yes, it would limit the problem a bit.  But it would still be a
> problem if a user leave a background process behind to do the job
> while he isn't logged in.
> > When we discussed our setups, very often we had to stop and rethink
> > again. We are not in a Bank, we can not close everything to the
> > users, and if I go with personal or confidential data to a school I
> > should be careful with the permissions I put in my usb disk, same if
> > I go with confidential papers in a case.
> Sure.  But as long as it is within our reach to solve it properly, we
> should.  One pupil using skolelinux said one of the best features was
> that she had a private home directory to store her files.  I believe
> we should be careful to take away the trust the pupils put on the
> privacy of the system.
> > I don't mean your arguments are wrong. You are right with that hole,
> > but in such case you should think of many other things that might
> > happen, as students using temporary security kernel fails, or apache
> > bugs, or even ssh bugs. Maybe for an University you have to be much
> > more careful, as if you had your computer freely plugged in
> > Internet. But, for schools, knowing that's something we should
> > improve, I think there are many more things to invest our time on,
> > just taking a look to the bugzilla I see a lot of work to be done,
> > and priorities should be set on those things.
> Remember that I've hopefully already fixed the issue.  I'm just
> waiting for the new dbus package to get out of NEW to test if it work
> (well, I can't test it myself, as I only qemu and hotplug devices are
> not really present there. :).
> > Anyway, if I am wrong and DebianEdu is also targeted to setup
> > University networks, all what I've written can be deleted.  But I
> > think there is no way to prepare a general installation DVD to setup
> > an University server, and that's something that should be done "by
> > hand" by an expert sysadmin...
> For servers, I agree, but for desktop the need for manual setup need
> to be limited to the very minimum.
> > Obviously, if the important work in DebianEdu is finished, I will
> > the first one to try to collaborate and help to setup a new
> > authentication method to mount external devices.
> Great.  Please test it as soon as the new dbus package make it to the
> DVD. :)

Ok, you win ;-), I'll do it when it's available.
Best regards.

José L.

> You can already test part of it, by seeing if /var/run/console/ is
> populated with files when a user log in.
> Next task for me is to check that LTSP local devices also work.  I'm
> not sure yet if the fuser group membership is required, nor how the
> access control is done.
> Friendly,
> -- 
> Petter Reinholdtsen

Attachment: signature.asc
Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente

Reply to: