[Lias] pam_mkhonedir.so winbind WORKAROUND!

Craig Ringer craig at postnewspapers.com.au
Wed Nov 12 12:03:02 UTC 2003 

> Seems .gnome-desktop is the problem! If I place the files in the root of /etc/skel
> they get copied properly into each users directory. This is an acceptable and
> possibly better solution as it will not clutter the desktop with unused icons.

Cool. That's what I was trying to ask you earlier :-(

> What chmod/chown should I change them so that the users can execute them but only
> root can modify or delete?

I think ownership of all files in /etc/skel is transferred to the user 
on account creation. As such, even if you set the permissions to 0100 
(execute by user ; nothing else) the user could just 'chmod 755 $FILE' 
and then remove it. Yeah, just tested by creating a non-root-owned file 
(owned by user 'nobody') and the ownership was still transferred to the 
new user.

Unfortunately, I didn't see any option in the pam_mkhomedir 
documentation to run a script after skel has been copied. I'm not sure 
what the best way to go about solving this would be, as you do _not_ 
want to have to do anything manually.

Frankly, I don't see a good solution to this. If your homedirs are owned 
by a specific real user, you might be best off just letting them mess it 
up - they can just 'cp -r /etc/skel /home/$USER' to fix things, or 'rm 
-rf /home/$USER' and log back in. If the dirs are per-machine, ie a user 
at 'computer1' logs in as 'computer1' with some password, perhaps nuking 
them at logout might be useful for other reasons too? I'm just 
suggesting a few possibilities, I can't know whether they're suitable 
for your environment as I don't have much information about it.

Another alternative would be to extend pam_mkhomedir to support the 
execution of a script after skel has been copied.

By the way, if you're talking about a GNOME/KDE 'desktop' file, then it 
may actually need to be readable rather than executable by the user. 
Many of them are just files that tell the desktop the real thing to run. 
I don't know if the desktop environment will require it to be flagged 
executable as well, but generally only things you can execute by running 
them directly from a shell as './$FILENAME' need to be flagged 
executable. Sorry if I'm telling you what you already know; it seemed 
best to mention it just in case.

Craig Ringer

More information about the lias mailing list