Solved

Separate Linux home folders from data

Posted on 2006-07-17
9
1,017 Views
Last Modified: 2013-12-16
In Windows, the roaming profile is completely separate from the user's home folder.  This allows for super-easy cleanup at the end of each college semester, where I can safely erase all the student profiles, but backup & store their home folders.  Also, as I update the default profile everyone receives, I know that each new semester when everyone logs in, they'll get a good, clean, updated profile.

Not so in Linux.

We're using Red Hat Enterprise Linux 4 (both server & clients).  By default, the user's home folder IS their profile store.  This makes it very difficult to ever update profiles or archive user data without including a bunch of profile junk.

Aside from creating a special mount point, or forcing students to only store real data in a special place (which I know they won't do), is there a way to separate home folders (~) from the profile store?  I'd like ~ to store only data the student actually put there, while the profile (dot files, browser cache, etc) to go somewhere else that can be wiped after each semester.

I was thinking that there might be some sort of env variable or something that would do the trick.

Thanks,
Matt
0
Comment
Question by:kemis
9 Comments
 
LVL 14

Accepted Solution

by:
DonConsolio earned 350 total points
ID: 17122349
there is no "roaming profile" or "registry" on linux you need to take care of :-)

if you want users to only write to a specific directory you could
- create a directory structure for your data ( e.g. /bigdisk/$year/$studentid/ ) and grant each user "rwx" to their own data dir
- only grant "rx" on /home/$year/$studentid/, populare with .profile, defaults, etc
- symlink /home/$year/$studentid/data --> /bigdisk/$year/$studentid/
- tell your students you will only backup the datadir
- only backup the datadir :-)
0
 
LVL 39

Assisted Solution

by:noci
noci earned 150 total points
ID: 17122651
The variable you're looking for is named HOME
which defaults to the setting of the home directory from /etc/passwd or LDAP equivalent.

The trouble is that users might end up in the profile  after a blank 'cd' or 'cd ~'.
As this variable is used to resolve that.


The user profile a mostly stored in hidden files/directories:
so a 'rm -rf ~user/.[A-Za-z0-9]*' will most probably remove all profile data.

0
 
LVL 39

Expert Comment

by:noci
ID: 17122700
Storing stuff in a predefined place can be forcefed..,
by making their logindirectory readonly, with pre installed
subdirectories per needed product. f.e.
make a .kde subdirectory writeable to them,
and make a data subdirectory writable to them
As they have no write access to the login / home directory
==> they can't rename anything there.

That should work for the most part.

Please indicate if you have more specific items.
0
 

Author Comment

by:kemis
ID: 17145568
It doesn't sound like there's a way in Linux to do what I was wanting...

So, the home folder is the profile store & there's no way around that aside from creating a special data store & forcing users to save there?

What would happen if the HOME variable was changed at logon?  I want ~ (or a blank cd) to be their data store, but how do most programs resolve where the profile store is?  Don't they just put that info in whatever the HOME variable happens to be?  If so, then changing the HOME variable wouldn't do much good, right?

Thanks so much for the help!

Matt
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 39

Expert Comment

by:noci
ID: 17146495
If you change the HOME variable, the ~ changes with it.
Also all programs that want to handle "profile" data use $HOME/<profile file-or-dir>  to access that file or directory.
like you suggested no solution in that direction.

btw ~ is resolved only on command lines by the shell and not necesarily on open & close windows etc.
Internaly all programs use $HOME.

If you want to separate it you need to lockdown the login directory and leave subdirectories open.
The user should not have write access to the home directory (ie, cannot rename or create new files there).
A mode 555, 550 or 500 for the login directory will do that.
And create a "WORK" subdirectory with 7xx rights in the login directory to work in.
Many modern software "remembers" where the were the last time, as a courtesy you can make it
the default directory after logging on.

0
 
LVL 3

Expert Comment

by:bryanlloydharris
ID: 17164275
What about NIS for home folder, local-comp:/tmp for browser cache and disregard .bash{rc,_login,_profile,_logout} since it's only a few kilobytes anyway?
0
 

Author Comment

by:kemis
ID: 17164645
noci,

Thanks for the extra info regarding $HOME.  It helps a lot.  If I lockdown the user from the $HOME folder, though, then will new programs that try to create new dot folders/files be able to do so?

bryanlloydharris,

There are many other programs, etc, that put dot files/folder into $HOME than just browser cache.  My goal would be to separate all (or as much as possible) profile data that would be irrelevant a year from now from the user data that the students would need to browse for future portfolio projects, etc.

At this point, it appears as though forcing the students to only write to a particular folder within $HOME is the best approach in Linux.  I just want to be sure that setting 5xx perms on each user's home folder won't mess up anything else.

Thanks again to all!
Matt
0
 

Author Comment

by:kemis
ID: 17196605
Any more ideas since my last post?

Thanks,
Matt
0
 

Author Comment

by:kemis
ID: 17285173
It appears as though my original goal is somewhat impossible, although the idea of "forcefeeding" a data directory is growing on me.

Thank you for your help!  I certainly hope I was fair in my awarding of points.

Take care,
Matt
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now