RE: nis : how to avoid user1 becoming user2 using local root ?
From: Small, Jim (jim.small_at_eds.com)
Date: 03/29/04
- Previous message: phaser-X: "Re: nis : how to avoid user1 becoming user2 using local root ?"
- Maybe in reply to: Frédéric Médery: "nis : how to avoid user1 becoming user2 using local root ?"
- Next in thread: Frederic Medery: "Re: nis : how to avoid user1 becoming user2 using local root ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Mailing List Linux- Security <focus-linux@securityfocus.com> Date: Mon, 29 Mar 2004 11:19:46 -0500
The 2.6 kernel comes with NFSv4. NFSv4 supports Kerberos and other security
methods for authorization and encryption. Properly setup, a local user will
not be able to mount another user's share/export, even with local root
privileges.
<> Jim
> -----Original Message-----
> > All linux servers, all nfs share use the root_squash option.
> > We're using NIS
> > All developpers can become root on their local machines.
> >
> > The prob : if user1 do a `su -` on their station. And then, `su user2`
> > they can become user2.
> >
> > For me it's a huge problem (windows don't have this prob, local admin
> > are very different from domain/server admin) is there a way to avoid
> > this prob ?
>
> Nope. Not with NFS. NFS uses a 'trust the client' security model.
> If you give users the ability to become root on their machines,
> they can become any user locally, and can access the NFS server as
> that user.
>
> Later versions of NFS hope to address this problem. Or you can
> try alternate mounting options, such as afs, or even smbmount.
- Previous message: phaser-X: "Re: nis : how to avoid user1 becoming user2 using local root ?"
- Maybe in reply to: Frédéric Médery: "nis : how to avoid user1 becoming user2 using local root ?"
- Next in thread: Frederic Medery: "Re: nis : how to avoid user1 becoming user2 using local root ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
