Re: nis : how to avoid user1 becoming user2 using local root ?
From: Nick Lopez (securityfocus_at_glowingmonkey.org)
Date: Sat, 27 Mar 2004 16:29:25 -0700 To: firstname.lastname@example.org
On Fri, Mar 26, 2004 at 04:58:06PM -0500, Fr?d?ric M?dery wrote:
> our situation :
> All linux servers, all nfs share use the root_squash option.
> We're using NIS
> All developpers can become root on their local machines.
> The prob : if user1 do a `su -` on their station. And then, `su user2`
> they can become user2.
> For me it's a huge problem (windows don't have this prob, local admin
> are very different from domain/server admin) is there a way to avoid
> this prob ?
Several, starting with using something besides NFS, like CIFS with unix
extensions, AFS, or maybe NFSv4 though I havn't checked on how well the
daemons work. Or, you could just not give untrusted users the powers of
god. Fix filesystem permissions so they have access to what they need and
sudo access to anything that can't be fixed with mere filesystem rights.
You can also set them up with UML (User Mode Linux) to test their
root-needing things. It gives them full control of the virtual system
without giving them any rights to the real system.
- Nick Lopez
-- Randomly selected signature --
<>< As a computer I find your faith in technology amusing.