Linux: How to optimally configure data partition on multi user system (including LDAP users)?
Solution 1:
You can use pam_group to add users to the users group on demand (dynamically). (Although it's outside the scope of your question, if you were to couple this with pam_mkhome to create new users' home directories you could have the system almost self-managing.)
The PAM subsystem (Pluggable Authentication Modules) is responsible for authentication and authorisation. It's wonderfully extensible (and consequently somewhat complex) even to the point of being able to run a shell script to validate someone's login. In this situation we are simply going to add the user group users to every login session.
You haven't specified which Linux distribution you're using, so I'm going to give a worked example for Debian. I assume you'll be able to map this to your scenario.
-
Open a root shell and leave it open until you know this works.
Breaking PAM can prevent anyone or anything logging in or even running
su/sudo. You may need this root shell to back out a broken change. -
Configure
pam_groupby adding this rule to/etc/security/group.conf# All services, all ttys, all users, any time *; *; *; Al; users -
Configure the PAM "auth" stack to use
pam_group. Edit the file/etc/pam.d/common-authand add this line at the end of the file. On Debian I added it after the block forpam-auth-updateauth optional pam_group.so -
Test a login (local or LDAP), and check that
idshows you haveusersin your group list.If you do not, then look at the end of
/var/log/auth.logto see what error message was reported from PAM.
Solution 2:
Since you do not want to use groups, the only option with regular Linux file permissions is to make it writable by others (all users):
chown root:root /media/data
chmod u=rwx,g=rwx,o=rwxt /media/data
This applies the same permissions as for the /tmp directory and satisfies 1) and 2).
3) is up to the users, but satisfied with an umask set to 022, which is the default on most Linux distros.