[306] in athena10
Re: chmod 777 AFS homedirs; nuking local account
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Jul 7 23:58:55 2008
From: Greg Hudson <ghudson@MIT.EDU>
To: Jonathan Reed <jdreed@mit.edu>
Cc: athena10@mit.edu
In-Reply-To: <7CA61286-A963-4BF9-A21C-6EFCF9F933E0@mit.edu>
Content-Type: text/plain
Date: Mon, 07 Jul 2008 23:58:10 -0400
Message-Id: <1215489490.18347.230.camel@error-messages.mit.edu>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
On Mon, 2008-07-07 at 15:46 -0400, Jonathan Reed wrote:
> "User's .dmrc file is being ignored. [...]"
> What can we do about this? Warn the user? Fix everyone's homedir
> for them?
I get this too. I hadn't tracked it down to the 777 mode. I'm guessing
it's mostly old cruft like us who have that mode. We can add an
xsession script which checks the homedir mode and pops up a dialog
telling people to "chmod 755 $HOME", I guess.
I ran a quick scan; about 10% of accounts are affected.
> - Prior to athenization, my workstation had one local account, jdreed,
> which was also an "admin" account (for the purposes of running sudo,
> etc).
This is kind of an irritating situation; in the past I've either renamed
the account (which is very fiddly) or, in later installs, named my local
account "lghudson".
The simplest approach to this problem is just to document the pitfalls
of renaming or removing the local account, the first and foremost being
"don't lock yourself out of root." Setting a root password is the
safest way to avoid that. We can also document that people should pick
a different name for the initial local account from their Athena name,
but we probably won't get to most users in time for that advice to be
useful.
The less simple approach is to write a script. I'm not sanguine about
that since there are a bazillion edge cases and variations on what the
user might want to do, but it's an option.
debathena-shell-config produces binary packages debathena-bash-config
and debathena-tcsh-config. They're in the Athena 10 repository and
likely installed on your machine, but all they really do is give you
access to locker software from your local account. You won't be using
your Athena homedir and you won't get X session integration (zwgc,
get_message, etc.). You will, of course, get better performance since
AFS homedirs are kind of a drag.
> And what if the user wants to retain sudo privileges?
Through the magic of PAM, you can sudo with your Kerberos password, as
long as your Athena account is a member of the "admin" group. I just
tested it (make sure to log out and back in after adding yourself to the
admin group if you're running a test yourself; group membership is fixed
at login time). That also lets you use GUI elements which require root
such as the software update tool.
