RE: nis : how to avoid user1 becoming user2 using local root ?

From: Small, Jim (jim.small_at_eds.com)
Date: 03/29/04

  • Next message: Jeremy Miller: "Re: Rewrite Rules, SSL, and .htaccess"
    To: Mailing List Linux- Security <focus-linux@securityfocus.com>
    Date: Mon, 29 Mar 2004 11:19:46 -0500
    
    

    The 2.6 kernel comes with NFSv4. NFSv4 supports Kerberos and other security
    methods for authorization and encryption. Properly setup, a local user will
    not be able to mount another user's share/export, even with local root
    privileges.

    <> Jim

    > -----Original Message-----
    > > All linux servers, all nfs share use the root_squash option.
    > > We're using NIS
    > > All developpers can become root on their local machines.
    > >
    > > The prob : if user1 do a `su -` on their station. And then, `su user2`
    > > they can become user2.
    > >
    > > For me it's a huge problem (windows don't have this prob, local admin
    > > are very different from domain/server admin) is there a way to avoid
    > > this prob ?
    >
    > Nope. Not with NFS. NFS uses a 'trust the client' security model.
    > If you give users the ability to become root on their machines,
    > they can become any user locally, and can access the NFS server as
    > that user.
    >
    > Later versions of NFS hope to address this problem. Or you can
    > try alternate mounting options, such as afs, or even smbmount.


  • Next message: Jeremy Miller: "Re: Rewrite Rules, SSL, and .htaccess"

    Relevant Pages

    • Re: Kerberized NFSv4 problems
      ... Or is root otehrwise treated ... don't really know how this NFSv4 stuff works.) ... NFS shouldn't be denied for root as far as I know... ... Or maybe the automounter mounts it AS that user after a kerberos ...
      (comp.protocols.kerberos)
    • RE: is NFS secure ?
      ... Please correct me if I'm wrong, but unlike samba for example, NFS ... Subject: is NFS secure? ... For example, NFSv4 ... incorporates RPCSEC-GSS (Secure RPC using generic security service API) ...
      (RedHat)
    • Re: NFS version 4.0 for FreeBSD-CURRENT
      ... I have proposed Rick for a commit bit with the hopes of getting the NFS code in the tree sooner rather than later so that it can get exposure, etc, however. ... BTW, this news from Isilon sounds excellent, and is something that the community as a whole will appreciate a great deal. ... Rick's code supports it, but since the NFSv4 ACL code requires rolling our ACL ABI, writes things to disk, etc, I think it's actually much more sensitive to binary compatibility concerns. ...
      (freebsd-arch)
    • Re: Accessing Kerberos NFS version 4 (not 2, 3) via /net automounter with kinit only (no /etc/krb5.c
      ... mountsyscall} and, as such, can't do an NFSv4 mount. ... FreeBSD`s NFSv4 client can do a mount with a user`s credential ... Accessing Kerberos NFS version 4 ... automounter with kinit only ...
      (freebsd-hackers)
    • Re: Accessing Kerberos NFS version 4 (not 2, 3) via /net automounter with kinit only (no /etc/krb5.c
      ... mountsyscall} and, as such, can't do an NFSv4 mount. ... FreeBSD`s NFSv4 client can do a mount with a user`s credential ... Accessing Kerberos NFS version 4 ... automounter with kinit only ...
      (freebsd-hackers)