3

In my lab, a group of people work each at one workstation, and they share a number of drives over NFS. They run shared software residing in one of those NFS drive and they run it on the NFS drives where the data is.

The current set up has all of them using the same user account, let's call it one on all hosts. Lab members log in as joe@myhost to have a desktop with their own customizations, but for any real work on the scientific data, which belongs to one, group users, they must become one.

Note that some per-user customization of the environment is achieved by having one accounts defined host-specific and thus have their home directory local i.e. one@myhost:/home/one (they all are UID 502 and GID 100 for historic reasons). So each user's one account can have specific environment variables set alongside the common PATH pointing at the shared programs.

There is currently a debate going on in the lab where I am suggesting that it is better practice in Unix to have separate accounts for separate users and replicate the current functionality of a single user by using groups.

I have listed the following disadvantages of the single account

  • difficulty managing several software versions,
  • almost meaningless auditing/logging,
  • everybody can delete everybody's else's files and programs,
  • when one member leaves the lab, ideally passwords should be changed

Now, this network is behind a firewall and it is just scientific data that would be meaningless to an intruder and has no economic value. Plus everything is secondary to productivity in a fast-paced scientific lab, including security. Since the data is frequently backed up, the ability to delete data or programs is also not a major concern.

Because the one account approach is very convenient and was established many years ago (2001?), I am having difficulty to convince anybody to go to one account per user. Perhaps I am using the wrong arguments, or perhaps maybe the scenario I just described above is such that the one approach is a practical middle-ground, and I am being inflexible in my reasoning.

In either case, I would appreciate if you can help me find out if I am in the wrong, or if I am right, suggest how I could otherwise argue my case.

Improve this question

1 Answer 1

Reset to default
3

Well, I can think of two counter-points to the idea of separate accounts.

One, there is one big flaw with with classic unix groups vs. a common shared tree of files, and that is that each user and each script they run needs to have a umask that keep files and directories group-writable, and you need to apply the group-sticky bit to all directories. In practice, this is hard, because so many scripts specify a restrictive umask, and because if you rsync -a or cp -a or tar -x files from a directory you own into the common tree its easy to forget to add the group-sticky bit and change the group to the shared one. What you end up with is a sub-tree of files owned by Joe and Joe is on vacation or out to lunch and someone needs to modify those files and you have to go find the sysadmin to fix it. IMHO the Unix permissions design is simple and efficient but not terribly practical in the real world.

Two, if this common tree of files contains binaries, and everyone has added these paths to their $PATH, then you have no security at all. Any one of your users could hijack the whole group, so they'd better all really trust eachother. Also, you're using NFS, so if the users can take over root on their workstations, they can access the central files as any user they like.

As to the idea of revoking user accounts, you get that by removing them from the local workstation, which is where the password for one was stored anyway (right?) because with NFS, the file server has no clue what password they typed, only that their workstation's kernel said "Hi, I'm UID 502, do these things on my behalf".

So, before pushing the issue in your organization, you should think about whether you can actually accomplish what you want.

If you want the program versions to be less chaotic, maybe have users ask for you to install them, owned by an administrator. Security is better when an administrator is in control of everything in $PATH.

If you want separate accounts so that you can see who is changing files, you might have to go as far as writing a daemon to monitor the shared tree with INotify (I suggest writing it in Perl) and force the g+rwx bits after each 'open' event, and set the UID after each 'write' event.

Hope that helps...

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.