Re: NIS with local root

From: Zow (zow@llnl.gov)
Date: 01/30/03

  • Next message: Charles Clancy: "Re: NIS with local root"
    To: Kevin Jackson <kevin.jackson@genaware.com>
    Date: Thu, 30 Jan 2003 08:48:30 -0800
    From: "Zow" Terry Brugger <zow@llnl.gov>
    
    

    > Its the NFS export options - i.e. root_squash that needs to be used.

    root_squash will only prevent the remote root (uid 0) account from modifying
    files as root. It can't prevent the remote root account from su'ing to a user
    account and then masquerading as a user. I once admined a small group of
    machines for the team I was on that was part of a larger, enterprise network.
    As such, I had root on our machines, but not the centralized NFS servers
    (which used the root_squash option). It was a pain because when one of the
    team members had a package in their home directory that they wanted
    installed, I couldn't access their home as root (tight permissions on the
    home directories), so I would have to su as them, then I could copy the
    package to /tmp where I could then access it as root.

    That's not to say that root_squash is useless -- it prevents root on one
    machine from placing a suid (0) binary on the share, which could be used as a
    Trojan horse to get elevated privileges on a different machine.

    Terry

    use StandardDisclaimer.pm



    Relevant Pages

    • Re: user privledges
      ... > redhat 7.2 i created a user account for myself to use on a daily basis. ... > fare i have just been su - and entering the root pass. ... it started but would not install because i did ... sofware to /opt/musicmatch as a normal user. ...
      (comp.security.unix)
    • Re: Alerting - Malicious software removal tool
      ... >needed to install an application that she could not install from ... >"Administrator" account. ... You failed to analyze the root cause and correct it ... use their computers to have fun. ...
      (microsoft.public.security.virus)
    • Re: hi all..
      ... And with sudo, I certainly wouldn't because they already have root. ... If you somehow had access to my account right now, ... install an effective key logger without root. ...
      (Fedora)
    • Re: cant login as root
      ... > The only reason they don't have a local account is they were too lazy to ... If you're root you create and maintain a user account. ... local root accounts are themselves a hazard. ...
      (comp.os.linux.setup)
    • Re: hi all..
      ... and someone gets access your shell account, ... Only root can install an su binary. ... Of course, if I have sudo ...
      (Fedora)