Re: nis : how to avoid user1 becoming user2 using local root ?
From: Frank Burkhardt (fbo2_at_gmx.net)
Date: 04/03/04
- Previous message: James Lick: "Re: nis : how to avoid user1 becoming user2 using local root ?"
- In reply to: Toni Heinonen: "RE: nis : how to avoid user1 becoming user2 using local root ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 3 Apr 2004 07:34:12 +0200 To: focus-linux@securityfocus.com
Hi,
On Fri, Apr 02, 2004 at 11:34:27AM +0300, Toni Heinonen wrote:
> > to everyone. The problem is the NFS-server trusting UIDs on remote
> > computers.
>
> Yes, but by using LDAP you get a consistend UID space all over your
> network, and user1 (1001) and user2 (1002) are the same users on each
> machine. Yes, this is the solution to the NFS-server trusting UIDs, but it
> also means you have to trust each computer.
This is *not* the solution to the UID-trusting-problem. LDAP doesn't (and
can't) prevent you from changing a UID on a client-machine where you have
root-privileges. LDAP provides a mappig ( name <-> UID ) but it's unable to
enforce a UID.
From the server's point of view the UID is the user's
credential - like a password. The great difference to a password: the UID
needed to get a file is publicly known ( stat(file_you_want) ).
> Or you might as well use winbind instead of LDAP and get the user
> information from a domain.
This is still no solution to the problem.
Frank
- Previous message: James Lick: "Re: nis : how to avoid user1 becoming user2 using local root ?"
- In reply to: Toni Heinonen: "RE: nis : how to avoid user1 becoming user2 using local root ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
