password protecting files

R

radish

Registered
i am aware there are many password encryption programs for OS X but i'm more interested in a simpler managable approach.

the situation is that i have several emacs which are roughly used by about 100 people at somepoint during a week. instead of setting up hundreads of user accounts i would prefer to have one restricted account on each mac with an ability for the user to assing a password to their files.

the trouble is that many password scheme encrypt the data or have a tedious security process. i want something like the user can right click on a file and protect it. if they forget the file then i can reset it under an administartive login rather than the file being lost forever.

the data is only coursework and won't contain any personal information. it will be mostly coursework and since i'm the tutor it won't matter if i have access to it.
 
There are two protection schemes that will work on a modern computer system - unfortunately anything else is almost certainly snake oil.

1 - encryption. If you lose the key there's no way to recover the file. Tedious, and your users probably won't bother.

2 - multiple user accounts. The basis of 30-ish years of OS security research, and the way OS X does things.

Since they're eMacs there's presumably no way of getting people to keep their work on removable media either? Depending how many Macs there are, using a central domain controller might become the most manageable way of doing it...
 
thanx.

thinking a little deeper into this now, would it be possible to manage accounts and privellages from one main server so that any user can log onto any machine and be able to work securly. However due to bandwidth limitations i would prefer applications to be run and data to be stored locally as not to use up to much bandwidth. obviously this means that the users data won't be in one easily accessible place but i really don't think the network will be able to handle several users using large traffic audio applications. maybe it would be best if i assigned specific users to specific machines.

argh it's all too confusing
 
radish said:
thanx.

thinking a little deeper into this now, would it be possible to manage accounts and privellages from one main server...
Click to expand...
Yes!

Apple has white papers on thier site on how to consolidate user accounts in a NetInfo network, or in LDAP, or in Active Directory, etc.

I don't have any URL's handy, but it's all there on apple.com...
 
http://www.apple.com/server/documentation/

Try looking at User Management. I think you'd have to keep user home folders on the server though, but that might still be the best way to go (and easiest for the user to understand how to use). Especially if you have several eMacs that people can use. (Is this a school setup?) Then the user wouldn't have to remember which computer they were using and saved their files on. Then, down the road, if you ever had to replace or add computers, it would be as simple as putting a new one on a network, no files would be lost.

Bandwidth could be an issue, what are you using now?
 
thanx for the info so far. i am digesting it well.

at the moment the network is a 100mbit. which seems fine for documents but i don't think the audio applications will like it much.

how about this for an idea. when a user in confronted with the login screen they have to options.
1. they can login under their username which will give then access to applications like word excell internet etc. The home directory of these accounts would be stored centrally.

2. they can login in under music which will allow then to use music applications and the information would be stored locally. in this account their would be a mounted server whereby people can drag and drop their own work or they could just save localy to the hard disk. obviously their work stored locally would be at risk of plagarism so their conscience would tell them to save to the server instead.

would it be possible for someone access a mounted server, locate thier home directory wherby they are pormpted with a authentication screen?
 
Here's a possibility - what if you made a clearly labelled area of the HD (or maybe an entire disk partition) that was writable by anyone? Then users logging in under their own IDs could temporarily copy over audio files to the local computer, work on them locally, then save them back to their network directories before they log out. To protect themselves from plagiarism, they could erase the local copies.

You might even have the locally saved files erased automatically whenever people log out, but that might do more harm than good - people tend to forget to copy things back, and might lose too much work...

It seems like it ought to be possible for users to mount a remote directory under a different ID from the one they're locally logged in as. Unfortunately I don't have any experience with OS X server, so I couldn't tell you how easy or hard it would be...

BTW - thanks for the reference btoth. I'm reading the User Management doc now - it is indeed relevant to precisely this situation. The Open Directory doc is also highly relevant, but it looks like it goes into much more complicated setups than this - redundant servers, windows/unix clients...
 
You must log in or register to reply here.
Back
Top