Re: nis : how to avoid user1 becoming user2 using local root ?
From: Christoph Moench-Tegeder (cmt_at_burggraben.net)
Date: 03/27/04
- Previous message: Frédéric Médery: "nis : how to avoid user1 becoming user2 using local root ?"
- In reply to: Frédéric Médery: "nis : how to avoid user1 becoming user2 using local root ?"
- Next in thread: [Lukasz.Sztachanski]: "Re: nis : how to avoid user1 becoming user2 using local root ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 27 Mar 2004 19:27:02 +0100 To: focus-linux@securityfocus.com
## Frédéric Médery (mederyf@LEXUM.UMontreal.CA):
> All linux servers, all nfs share use the root_squash option.
> We're using NIS
> All developpers can become root on their local machines.
> The prob : if user1 do a `su -` on their station. And then, `su user2`
> they can become user2.
> For me it's a huge problem (windows don't have this prob, local admin
> are very different from domain/server admin) is there a way to avoid
> this prob ?
Use all_squash, anonuid and anongid to lock every machine to a single
account. Example:
/home 10.0.0.1(rw, all_squash,anonuid=1000,anongid=1000) 10.0.0.2(rw,...
Depending on your special setup and needs this solution might
break things. Your /etc/exports will become huge and you will have to
update your export every time developers or IP adressen change. This
will be a real PITA in lager environments (for small values of large).
Now you know why NFS is No File Security :)
Another solution would bw chamging filesystems, AFS, Coda and SMB
could be worth a look.
Regards,
Christoph
-- Spare Space
- Previous message: Frédéric Médery: "nis : how to avoid user1 becoming user2 using local root ?"
- In reply to: Frédéric Médery: "nis : how to avoid user1 becoming user2 using local root ?"
- Next in thread: [Lukasz.Sztachanski]: "Re: nis : how to avoid user1 becoming user2 using local root ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
