Re: NIS with local root

From: Zow (zow@llnl.gov)
Date: 01/30/03

  • Next message: Charles Clancy: "Re: NIS with local root"
    To: Kevin Jackson <kevin.jackson@genaware.com>
    Date: Thu, 30 Jan 2003 08:48:30 -0800
    From: "Zow" Terry Brugger <zow@llnl.gov>
    
    

    > Its the NFS export options - i.e. root_squash that needs to be used.

    root_squash will only prevent the remote root (uid 0) account from modifying
    files as root. It can't prevent the remote root account from su'ing to a user
    account and then masquerading as a user. I once admined a small group of
    machines for the team I was on that was part of a larger, enterprise network.
    As such, I had root on our machines, but not the centralized NFS servers
    (which used the root_squash option). It was a pain because when one of the
    team members had a package in their home directory that they wanted
    installed, I couldn't access their home as root (tight permissions on the
    home directories), so I would have to su as them, then I could copy the
    package to /tmp where I could then access it as root.

    That's not to say that root_squash is useless -- it prevents root on one
    machine from placing a suid (0) binary on the share, which could be used as a
    Trojan horse to get elevated privileges on a different machine.

    Terry

    use StandardDisclaimer.pm