Debian devices and NIS user accounts

27/04/2007, 14h20

Hi all,

I'm in the process of remaping UIDs/GIDs from our old Solaris-based
system (where [UG]IDs started at 100) to Linux (where [UG]IDs start at
1000), and a thought occurred to me. I have to add each user to the
cdrom, video, audio, etc. group in order for them to be able to be able
to use these devices. But these groups all have GIDs below 1000. I
really don't want to have to go to each machine and physically edit the
/etc/group file every time I add/remove an account, so it seems to me
that the thing to do is to modify NIS so that it exports device GIDs
(100 and up) -- but will that screw things up or open me up to a
security risk? I don't see how that would, but you never know. So
before I go and muck about with the system, I thought I would ask: What
the Debian way of doing this?

Thanks all,

Michael

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

27/04/2007, 14h50

On Fri, Apr 27, 2007 at 09:17:51AM -0400, Michael S. Peek wrote:

> I have to add each user to the cdrom, video, audio, etc. group in
> order for them to be able to be able to use these devices.

> So before I go and muck about with the system, I thought I would ask: What
> the Debian way of doing this?

The simple way would be to use PAM, as described here:

http://www.debian-administration.org/articles/308

Add pm_group to your list of loaded modules, then configure
/etc/security/group.conf to include something like:

gdm; *; *; Al0000-2400; audio, video, cdrom, floppy
kdm; *; *; Al0000-2400; audio, video, cdrom, floppy
ssh; *; *; Al0000-2400; audio, video, cdrom, floppy

Now when a user logs in they will be added to the named groups
dynamically.

Steve
--
# Commercial Debian GNU/Linux Support
http://www.linux-administration.org/

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

27/04/2007, 15h30

On Fri, Apr 27, 2007 at 09:17:51AM -0400, Michael S. Peek wrote:
>
> I'm in the process of remaping UIDs/GIDs from our old Solaris-based
> system (where [UG]IDs started at 100) to Linux (where [UG]IDs start at
> 1000), and a thought occurred to me. I have to add each user to the
> cdrom, video, audio, etc. group in order for them to be able to be able
> to use these devices. But these groups all have GIDs below 1000. I
> really don't want to have to go to each machine and physically edit the
> /etc/group file every time I add/remove an account, so it seems to me
> that the thing to do is to modify NIS so that it exports device GIDs
> (100 and up) -- but will that screw things up or open me up to a
> security risk? I don't see how that would, but you never know. So
> before I go and muck about with the system, I thought I would ask: What
> the Debian way of doing this?

You should probably read the debian policy manual. You may end up with
a conflict if you assign a regular user to a UID below 1000. It may be
better to write a short script that reads the solaris password database
(or a file you create from it) and passes that information to useradd to
create the new users.

Doug.

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

27/04/2007, 15h50

Douglas Allan Tutty wrote:
> You may end up with a conflict if you assign a regular user to a UID below 1000.
>

Yeah, that's what I've run into. The first time my boss sat down at a
Linux box to log in he had problems. A little detective work and I
discovered that his (Solaris) UID conflicted with the (Linux)
haldaemon. So since we're migrating away from Solaris I'm taking the
time now to remap all the U/GIDs < 1000 to something Linux-safe.

Michael

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

27/04/2007, 16h10

Steve Kemp wrote:
> The simple way would be to use PAM, as described here:
>
> http://www.debian-administration.org/articles/308
>
>

Frickin' awsome!

That, my friend, was /exactly/ what I needed.

Thanks!

Michael

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

27/04/2007, 16h10

On Fri, Apr 27, 2007 at 11:00:28AM -0400, Michael S. Peek wrote:

> That, my friend, was /exactly/ what I needed.

No worries. You might want to look at using pam_mkhomedir too.

Steve
--
Debian GNU/Linux System Administration
http://www.debian-administration.org/

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

27/04/2007, 14h20	#1
Michael S. Peek Messages: n/a Hébergeur:	Debian devices and NIS user accounts Hi all, I'm in the process of remaping UIDs/GIDs from our old Solaris-based system (where [UG]IDs started at 100) to Linux (where [UG]IDs start at 1000), and a thought occurred to me. I have to add each user to the cdrom, video, audio, etc. group in order for them to be able to be able to use these devices. But these groups all have GIDs below 1000. I really don't want to have to go to each machine and physically edit the /etc/group file every time I add/remove an account, so it seems to me that the thing to do is to modify NIS so that it exports device GIDs (100 and up) -- but will that screw things up or open me up to a security risk? I don't see how that would, but you never know. So before I go and muck about with the system, I thought I would ask: What the Debian way of doing this? Thanks all, Michael -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

27/04/2007, 14h50	#2
Steve Kemp Messages: n/a Hébergeur:	Re: Debian devices and NIS user accounts On Fri, Apr 27, 2007 at 09:17:51AM -0400, Michael S. Peek wrote: > I have to add each user to the cdrom, video, audio, etc. group in > order for them to be able to be able to use these devices. > So before I go and muck about with the system, I thought I would ask: What > the Debian way of doing this? The simple way would be to use PAM, as described here: http://www.debian-administration.org/articles/308 Add pm_group to your list of loaded modules, then configure /etc/security/group.conf to include something like: gdm; ; ; Al0000-2400; audio, video, cdrom, floppy kdm; ; ; Al0000-2400; audio, video, cdrom, floppy ssh; ; ; Al0000-2400; audio, video, cdrom, floppy Now when a user logs in they will be added to the named groups dynamically. Steve -- # Commercial Debian GNU/Linux Support http://www.linux-administration.org/ -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

27/04/2007, 15h30	#3
Douglas Allan Tutty Messages: n/a Hébergeur:	Re: Debian devices and NIS user accounts On Fri, Apr 27, 2007 at 09:17:51AM -0400, Michael S. Peek wrote: > > I'm in the process of remaping UIDs/GIDs from our old Solaris-based > system (where [UG]IDs started at 100) to Linux (where [UG]IDs start at > 1000), and a thought occurred to me. I have to add each user to the > cdrom, video, audio, etc. group in order for them to be able to be able > to use these devices. But these groups all have GIDs below 1000. I > really don't want to have to go to each machine and physically edit the > /etc/group file every time I add/remove an account, so it seems to me > that the thing to do is to modify NIS so that it exports device GIDs > (100 and up) -- but will that screw things up or open me up to a > security risk? I don't see how that would, but you never know. So > before I go and muck about with the system, I thought I would ask: What > the Debian way of doing this? You should probably read the debian policy manual. You may end up with a conflict if you assign a regular user to a UID below 1000. It may be better to write a short script that reads the solaris password database (or a file you create from it) and passes that information to useradd to create the new users. Doug. -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

27/04/2007, 15h50	#4
Michael S. Peek Messages: n/a Hébergeur:	Re: Debian devices and NIS user accounts Douglas Allan Tutty wrote: > You may end up with a conflict if you assign a regular user to a UID below 1000. > Yeah, that's what I've run into. The first time my boss sat down at a Linux box to log in he had problems. A little detective work and I discovered that his (Solaris) UID conflicted with the (Linux) haldaemon. So since we're migrating away from Solaris I'm taking the time now to remap all the U/GIDs < 1000 to something Linux-safe. Michael -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

27/04/2007, 16h10	#5
Michael S. Peek Messages: n/a Hébergeur:	Re: Debian devices and NIS user accounts Steve Kemp wrote: > The simple way would be to use PAM, as described here: > > http://www.debian-administration.org/articles/308 > > Frickin' awsome! That, my friend, was /exactly/ what I needed. Thanks! Michael -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email