On Thu, 2006-08-31 at 13:41 -0500, James Dickens wrote: > On 8/31/06, phcolaris <[EMAIL PROTECTED]> wrote: > > hi folk, > > > > I'm looking for a way how to keep users in their home directories - so > > that SGD/Ray users can't go and see other users and the root file > > system, simply not leave their /home/~ directory > > I've been playing around with few options (eg SUDO,containers or jail), > > but that isn't the right answer. > > > The only way I see that this could be done that is pseudo painless > other than directory permissions is have each user dumped into there > own Zone on a remote box, when they logged in, while they would have > access to other filesystems, it would only be a default install, no > other users files would be accessible. No changes could be made even > if they some how gained root because most of the files would be > readonly. Since the operating system is now free and opensource, they > would have complete access to this information anyway, they could just > install there own copy and or view the source at cvs.opensolaris.org. > To add an extra layer of protection you could start out with an > extremely minimal install of solaris on the machine with the zones on > it, then add only the applications the user would need to do his work. > No other applications or user information would be availible to them. > > The other option is trusted Solaris 8 or trusted extensions to Solaris > express, I've never used either product but they are some of the most > secure OSes availible so it may be a possiblity of course there > security features may preclude it from being used with sunray clients, > i'm not sure. > > > James Dickens > uadmin.blogspot.com
thanks James, I've been obviously considering zones/containers, but it would be unmanageable with 100< users and require unnecessary resources. I'm sure there is another, more elegant solution. Some companies has got installations of SGD/Ray for thousands of customers/employees so they would definitely have some nice user management in place which also would take care of this aspect. thank you -philip _______________________________________________ SGD-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sgd-users
