Thanks to all who replied, as follows:
dpb0 Superuser <root@COM.tfs>
yih (Benny Yih) <yih%atom.cs@edu.utah.cs>
"Craig Carpenter (E-Mail ccarpent@dw3f.ess.harris.com)"
evan@com.fsg (Evan L. Marcus [Fusion Systems Group, Ltd.])
Mike Raffety <miker@com.sbcoc>
zeke@EDU.UCSD.mpl (Rob Scott)
aadne@no.tss (Aadne Hestenes Spt)
kjv@fi.tampella (V{{r{nen Kari)
(Apologies for JANET-ised addresses in the above)
Nearly all replied to the effect that I should use one or more of netgroups,
automounter, secure NFS, AMD. This suggests to me that I was too cryptic in
the expression of the original question. I omitted to spell out that we have no
control of many of the hosts on our LAN, so we cant assume the use of specific
software or procedures on the clients. More important, we cannot formally
guarantee security at the clients.
Hence the suggestion that we let the users decide where their individual home
dirs. should appear.
None of the respondants exported home dirs. individually. Most respondants
had some form of institutional structure which determines grouping of both
home directories and hosts. Most suggested mapping "departments" onto
netgroups. Some replies implied the existance of some bureaucratic mechanism
for devolving responsibility for security within the institutional structure,
This is a step we are pursuing in the longer term.
Meantime we will probably construct netgroups for departments, and export a
home directory partition only to the departments with membership contained in
that partition. This will reduce much of the present unnecessary exposure of
home directories.
The original question:
This is a problem relating to the export of home directories from our servers.
We have a number of partitions containing home directories, grouped by
departments. Up to now we've exported these paritions (-rw) everywhere on our
LAN. Peoare getting nervous and say we should be more careful. The really
cautious say we should allow users to elect the hosts to which we will export
individual home directories, removing exposure of home directories on hosts
where they're not required. We have about 2700 users with home directories
spread over three servers, and 200 hosts in the local area. I don't much fancy
having users mail me their requests for changes in the exports files. Has
anyone implemented such a scheme, and is there any software to simplify the
maintenance of the exports files? eg an suid/sgid program ? Or is this just a
daft thing to try and do? People do flit from place to place, so there is some
need to distribute home directories outwith the owners' departments.
-------------------------------------------------------------------------
Gordon Roberston, Head of Systems, Aberdeen University Computing Centre
Tel 0224 273340
E-Mail on JANET : g.robertson@uk.ac.aberdeen
--------------------------------------------------------------------------
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:42 CDT