Linux: How to optimally configure data partition on multi user system (including LDAP users)?

Solution 1:

You can use pam_group to add users to the users group on demand (dynamically). (Although it's outside the scope of your question, if you were to couple this with pam_mkhome to create new users' home directories you could have the system almost self-managing.)

The PAM subsystem (Pluggable Authentication Modules) is responsible for authentication and authorisation. It's wonderfully extensible (and consequently somewhat complex) even to the point of being able to run a shell script to validate someone's login. In this situation we are simply going to add the user group users to every login session.

You haven't specified which Linux distribution you're using, so I'm going to give a worked example for Debian. I assume you'll be able to map this to your scenario.

  1. Open a root shell and leave it open until you know this works.

    Breaking PAM can prevent anyone or anything logging in or even running su/sudo. You may need this root shell to back out a broken change.

  2. Configure pam_group by adding this rule to /etc/security/group.conf

    # All services, all ttys, all users, any time
    *; *; *; Al; users
    
  3. Configure the PAM "auth" stack to use pam_group. Edit the file /etc/pam.d/common-auth and add this line at the end of the file. On Debian I added it after the block for pam-auth-update

    auth  optional  pam_group.so
    
  4. Test a login (local or LDAP), and check that id shows you have users in your group list.

    If you do not, then look at the end of /var/log/auth.log to see what error message was reported from PAM.

Solution 2:

Since you do not want to use groups, the only option with regular Linux file permissions is to make it writable by others (all users):

chown root:root /media/data
chmod u=rwx,g=rwx,o=rwxt /media/data

This applies the same permissions as for the /tmp directory and satisfies 1) and 2).

3) is up to the users, but satisfied with an umask set to 022, which is the default on most Linux distros.