On Fri, 19 Aug 2005, Laurent wrote: > Exporting the whole /home directory would put data security at risk > since creating an account with the 'right' uid on a workstation would > grant access to user files.
i assume you're looking for: - only users can see the files they own/create, and cannot see others files ... - if more than one person has "group" permissions, there is no way to prevent them from looking at each others data if its on the same server - never export /home if you're worried ... and export /home/user1 only to user1 and /home/usr2 to user2 > My question is: How to allow any user to use any workstation > (Authentication through LDAP) without putting data security at risk, that implies you have a good security policy that the managers of the ocmpany also believe "security is important and will enforce the rules" including termination or severe punishment or removal of priviledges for violations good policy: - document anything and everything that affects security and data and access to it - apply and test all upgrades before deployment ( proper "testing" distinguishes the me too from the pros ) - backup everything and encrypted someplace else - assume they are peeking at the sensitive data and see if you can find who, what, when, where, how - harden NFS ... disallow root logins, allow only certain ip# to nfs mount directory specific resources ( /home/user ) - run "secure" NFS daemons, including kerberos if needed - endless list of hundreds ( :-) ) of things to do .. - disallow dhcp, disallow wifi, disallow vpn, ... - disallow yahoo, aol, hotmail, gmail, icq, aim, etc ... c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]