Greetings!

We have a cluster (in the loosest, most generic application of that
term) of machines running SL4.5, x86_64. I'll try to provide adequate
but brief context before asking my actual question.

There is one login node and a small finite number of compute nodes.

The login node has two NICs, one facing the world with a public IP (and
only port 22 open), and the second facing our private network.

The compute nodes are only connected to the private net.

Accounts are managed with NIS and /home and /usr/local are NFS-mounted.
/opt is not.

Users log into the login node and then ssh to a compute node to do work
(over-simplification, but adequate for this discussion, I believe).

Applications are either installed under /usr/local (available
everywhere) or under /opt (available only on certain compute nodes).

*Here's the actual question.*

We would like to create accounts for restricted users, primarily for
data sharing purposes. These users would have access to the filesystem
as appropriate, but would not be allowed to run the applications living
under /opt and /usr/local.

A solution we have knocked around is to create a separate "non-compute"
node for these users, and that node would not NFS-mount /usr/local. The
users' login shell on the login node would be changed to a script that
would log them into the "restricted users node," and when they log out
from that node, they would be logged out of the login node as well.

Suggestions? Better ideas? Pointers to RTFM? Thanks.

Cheers,
 Pann
-- 
Pann McCuaig <[log in to unmask]>                212-854-8689
Systems Coordinator, Economics Department, Columbia University
Department Computing Resources:
               http://www.columbia.edu/cu/economics/computing/