0

Our lab consists of multiple desktop machines and a data node, all running Ubuntu Linux. The desktop machines mount /home from the data node. Files and users in /home are managed using UIDs and GIDs stored in the data machine's /etc/passwd, /etc/group, and /etc/shadow. If I want to add a user or a group, I have to edit the data machine's passwd/group/shadow files and copy the specific lines around to all the desktop machines' passwd/group/shadow files.

Is there a way to make Linux use multiple passwd/group/shadow files? We want the desktop machines to have their own passwd/group/shadow and then include passwd/group/shadow from the data machine as an addition to their own.

Also, is there a way to give users sudo access but not allow them to modify passwd/group/shadow to give them access to files and groups? We want them to do administrative tasks (install software, setup network/printers etc.) but we also want to tightly control who has access to specific data.

May Oakes
  • 157
  • 1
  • 5
  • Quick answers. The multiple /etc/passwd etc, you want to look into LDAP, although there are other options. For limiting sudo access, you can limit the commands they can run. But if you allow them to install software, they could also install software that changes the files you don't want changed. – becomingwisest Feb 02 '12 at 19:59
  • NIS may be fine for a smallish group of computers. While not as great for large groups of computers as LDAP it works great for a single lab and is much easier to setup – Lamar B Feb 02 '12 at 20:37

2 Answers2

2

While I don't know of a way to make Linux merge multiple passwd files, I'd like to point out that your setup is a typical use case for centralized user management using LDAP. Unfortunately, while configuring Ubuntu clients for LDAP authentication has become rather easy, setting up the OpenLDAP server is a bit annoying and I find the administrative software in the repositories lacking.

A pragmatic suggestion: Internally, define a range of UIDs for shared use across your lab, and just write a small startup script for the clients that syncs part of the passwd/shadow/groups files with your "central user database" on the server (which, in this case, could be implemented by simple text files).

Regarding the sudo part of your question: /etc/sudoers can hold information about which commands the individual sudoers may run with elevated privileges. However, it will be hard to find a bullet-proof way of locking your users out while still allowing them to use any editor at all. Quoted from the sudoers manpage:

An exclamation point ('!') can be used as a logical not operator both in an alias and in front of a Cmnd. This allows one to exclude certain values. Note, however, that using a ! in conjunction with the built-in ALL alias to allow a user to run "all but a few" commands rarely works as intended

If you can enumerate what tasks your users may run without having to add "and use a text editor to change settings files", I don't see a reliable way to do it.

Community
  • 1
jstarek
  • 628
  • 1
  • 6
  • 18
1

You could look at NIS (or formerly called YP).

Or you could have a central system and do a periodic rdist of the passwd/group/shadow files between all your systems. That process would avoid all the typing and retouching of systems and keep these files consistent should some priv'd user do something to them.

As for the sudo issue, I think that trust, verification, auditing and education for the users who have this priv go a long way toward preventing problems here. Make sure your users understand the responsibilities being given and have this backed up by your management to take action if there is a problem. Problematically, it is nearly impossible to avoid a leak into an some type of editor or programs (either distributed or generated)

mdpc
  • 11,856
  • 28
  • 53
  • 67