Re: NIS with local root
From: Zow (zow@llnl.gov)
Date: 01/30/03
- Previous message: Systems Group (Isaac): "Re: NIS with local root"
- Maybe in reply to: Nicolas Justin: "NIS with local root"
- Next in thread: Eric Severance: "Re: NIS with local root"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Kevin Jackson <kevin.jackson@genaware.com> Date: Thu, 30 Jan 2003 08:48:30 -0800 From: "Zow" Terry Brugger <zow@llnl.gov>
> Its the NFS export options - i.e. root_squash that needs to be used.
root_squash will only prevent the remote root (uid 0) account from modifying
files as root. It can't prevent the remote root account from su'ing to a user
account and then masquerading as a user. I once admined a small group of
machines for the team I was on that was part of a larger, enterprise network.
As such, I had root on our machines, but not the centralized NFS servers
(which used the root_squash option). It was a pain because when one of the
team members had a package in their home directory that they wanted
installed, I couldn't access their home as root (tight permissions on the
home directories), so I would have to su as them, then I could copy the
package to /tmp where I could then access it as root.
That's not to say that root_squash is useless -- it prevents root on one
machine from placing a suid (0) binary on the share, which could be used as a
Trojan horse to get elevated privileges on a different machine.
Terry
use StandardDisclaimer.pm
- Next message: Charles Clancy: "Re: NIS with local root"
- Previous message: Systems Group (Isaac): "Re: NIS with local root"
- Maybe in reply to: Nicolas Justin: "NIS with local root"
- Next in thread: Eric Severance: "Re: NIS with local root"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
