Re: NFS Security Question
From: Darren Moffat (Darren.Moffat@eng.sun.com)Date: 08/13/01
- Previous message: Neil Dickey: "Re: NFS Security Question"
- Maybe in reply to: McGee Olson: "NFS Security Question"
- Next in thread: Chuck Davis: "Re: NFS Security Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200108132020.f7DKK8B763913@jurassic.eng.sun.com> Date: Mon, 13 Aug 2001 13:18:51 -0700 (PDT) From: Darren Moffat <Darren.Moffat@eng.sun.com> Subject: Re: NFS Security Question To: molson@crystal.cirrus.com
>So, the scenario goes like this. You have two users "joe" and "bob".
>You have two machines "foo" and "bar". "foo" and "bar" both satisfy
>(3) and (4) above, and each has a different root password. "joe" has
>root on "foo", and "bob" has root on "bar". "joe" logs in as root on
>"foo", and then he executes the line "su - bob". Now, "joe" is logged
>in as "bob" and has all the permissions associated with the "bob"
>account.
>
>Is there anyway to stop this from happening?
Yes there are 2 related methods and both involve increaseing the
security of the underlying RPC mechanism.
Both are documented in the Answerbook at docs.sun.com.
The first and older method is to use "Secure RPC" with AUTH_DH (sometimes
called AUTH_DES). This involves creating public/private keys for each
user and host using chkey/newkey and putting these into the NIS publickey
map. If you use NIS+ rather than NIS they you already have all of the
keys setup for the users and hosts since NIS+ uses "Secure RPC".
Share the filesystem with -o sec=dh
The seconds method is to use Kerberos v5 to provide the RPC authentication,
search for NFS and SEAM in docs.sun.com after you have installed the SEAM
unbundled product (which is "free" either download the Solaris 8 Admin Pack,
or if you want 2.6, 7 then it is in the Easy Access Server disk from the
server pack). Kerberos is provided to RPC via RPCSEC_GSS.
Share the filesystem with -o sec=krb5
Kerberos can also be used to provide integrity (krb5i) and data hiding
using DES encryption (krb5p).
Currently as far as I know Sun is the only vendor with both AUTH_DH and
Kerberos.
A note for the future, NFSv4 will have Kerberos, SPKM, LIPKEY all as
mandatory so you will get this out of the box from any vendor who claims
to have a compliant NFSv4 implementation.
-- Darren J Moffat
- Previous message: Neil Dickey: "Re: NFS Security Question"
- Maybe in reply to: McGee Olson: "NFS Security Question"
- Next in thread: Chuck Davis: "Re: NFS Security Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
