LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

January 2008

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS January 2008

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Second class users?
From:	Ken Teh <[log in to unmask]>
Reply To:	Ken Teh <[log in to unmask]>
Date:	Mon, 7 Jan 2008 13:53:45 -0600
Content-Type:	text/plain
Parts/Attachments:	text/plain (56 lines)

How about using group membership?  RHEL-based systems use the "you are 
the only member of your own group/umask 002" technique when creating 
accounts.  Then, they join the user to additional "project" based groups 
for access to resources.  So, for instance, if you are a member of the 
kryptonian group, you would be able to access resources owned by 
root.kryptonian.  The 002 umask is what does the trick because the user 
picks up the correct permissions when she logs in.  Obviously, resources 
must be appropriately chmod'ed to 770 or 750.  But this is something you 
do only once.

Hope this helps.

Ken


Pann McCuaig wrote:
> Greetings!
> 
> We have a cluster (in the loosest, most generic application of that
> term) of machines running SL4.5, x86_64. I'll try to provide adequate
> but brief context before asking my actual question.
> 
> There is one login node and a small finite number of compute nodes.
> 
> The login node has two NICs, one facing the world with a public IP (and
> only port 22 open), and the second facing our private network.
> 
> The compute nodes are only connected to the private net.
> 
> Accounts are managed with NIS and /home and /usr/local are NFS-mounted.
> /opt is not.
> 
> Users log into the login node and then ssh to a compute node to do work
> (over-simplification, but adequate for this discussion, I believe).
> 
> Applications are either installed under /usr/local (available
> everywhere) or under /opt (available only on certain compute nodes).
> 
> *Here's the actual question.*
> 
> We would like to create accounts for restricted users, primarily for
> data sharing purposes. These users would have access to the filesystem
> as appropriate, but would not be allowed to run the applications living
> under /opt and /usr/local.
> 
> A solution we have knocked around is to create a separate "non-compute"
> node for these users, and that node would not NFS-mount /usr/local. The
> users' login shell on the login node would be changed to a script that
> would log them into the "restricted users node," and when they log out
> from that node, they would be logged out of the login node as well.
> 
> Suggestions? Better ideas? Pointers to RTFM? Thanks.
> 
> Cheers,
>  Pann

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV