LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

January 2008

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS January 2008

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Second class users?
From:	Richard Balthazor <[log in to unmask]>
Reply To:	Richard Balthazor <[log in to unmask]>
Date:	Mon, 7 Jan 2008 12:43:35 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (54 lines)

You might consider having some virtual ftp user accounts, if all they
want to do is move data around - much more secure than shell access,
and tunnel these through the ssh port.

cheers,
R.

On 07/01/2008, Pann McCuaig <[log in to unmask]> wrote:
> Greetings!
>
> We have a cluster (in the loosest, most generic application of that
> term) of machines running SL4.5, x86_64. I'll try to provide adequate
> but brief context before asking my actual question.
>
> There is one login node and a small finite number of compute nodes.
>
> The login node has two NICs, one facing the world with a public IP (and
> only port 22 open), and the second facing our private network.
>
> The compute nodes are only connected to the private net.
>
> Accounts are managed with NIS and /home and /usr/local are NFS-mounted.
> /opt is not.
>
> Users log into the login node and then ssh to a compute node to do work
> (over-simplification, but adequate for this discussion, I believe).
>
> Applications are either installed under /usr/local (available
> everywhere) or under /opt (available only on certain compute nodes).
>
> *Here's the actual question.*
>
> We would like to create accounts for restricted users, primarily for
> data sharing purposes. These users would have access to the filesystem
> as appropriate, but would not be allowed to run the applications living
> under /opt and /usr/local.
>
> A solution we have knocked around is to create a separate "non-compute"
> node for these users, and that node would not NFS-mount /usr/local. The
> users' login shell on the login node would be changed to a script that
> would log them into the "restricted users node," and when they log out
> from that node, they would be logged out of the login node as well.
>
> Suggestions? Better ideas? Pointers to RTFM? Thanks.
>
> Cheers,
>  Pann
> --
> Pann McCuaig <[log in to unmask]>                212-854-8689
> Systems Coordinator, Economics Department, Columbia University
> Department Computing Resources:
>                http://www.columbia.edu/cu/economics/computing/
>

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV