[1343] in athena10
Re: the debathena-managed metapackage
daemon@ATHENA.MIT.EDU (Jonathan Reed)
Fri Mar 6 19:50:29 2009
Cc: Greg Price <price@mit.edu>, Tim Abbott <tabbott@mit.edu>,
debathena@mit.edu
Message-Id: <36BE5734-9AA0-43EB-A886-49F34386B35F@mit.edu>
From: Jonathan Reed <jdreed@MIT.EDU>
To: Evan Broder <broder@mit.edu>
In-Reply-To: <49B1A940.3020800@mit.edu>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v919.2)
Date: Fri, 6 Mar 2009 19:44:27 -0500
On Mar 6, 2009, at 5:52 PM, Evan Broder wrote:
>>> To put a bit more flesh here, the package description lists
>>>
>>> 1. configuring the screensaver to allow logouts afer a certain time
>>> period
>>> 2. disabling user switching
>>> 3. disabling console logins
>>> 4. disabling sshd
>>> 5. disabling the halt/reboot/suspend commands in gdm and at logout
>>> 6. setting the root password
>
> It seems like there's some strong disagreement about #1, #3, and #4.
> The
> traditional Debathena way to deal with this would be to make each of
> them their own package so that people could install and uninstall them
> at will, but I'm really not a fan of that in this case.
I withdraw my previous comment about #1. All athena 9 machines offer
the logout option, and per-user customization to disable it. Since a
gconf key controls whether the logout option appears or not, perhaps
we can do something clever like force the logout option on -cluster,
and obey the user's gconf key (if set) on -workstation.
Was there disagreement about #3? I missed it. I said I was on the
fence, so don't take my comment as disagreement. As for #4, do we
disable sshd or do we _prohibit_ enabling sshd? These are two
different things. If we prevent it from being enabled (ie: if you
enable it, it'll get disabled upon reboot), that's one thing. If
we're just disabling it by default, that's another. Chroot issues
aside, it sounds like we create /etc/sshd_not_to_be_run, and then
users can nuke it if they want (which is fundamentally equivalent to
setting SSHD=true in rc.conf on athena 9).
I suspect details about #3 and #4 are confusing, so here it is
functionality wise:
- Both -workstation and -cluster install with SSHD disabled and
console logins disabled. Users who want sshd on -workstation can
remove /etc/sshd_not_to_be_run and it won't get put back. Users can
also enable console logins by doing $foo, and have that setting not be
clobbered on reboot/update.
> I wonder if this is a scenario where we want to bring back an Athena-
> specific config file.
I don't think we want to go down that road again.
-Jon
