RE: NFS Security Question

From: Nieusma, Jeff (
Date: 08/13/01

Message-ID: <>
From: "Nieusma, Jeff" <>
Subject: RE: NFS Security Question
Date: Mon, 13 Aug 2001 14:31:35 -0700

One way to deal with that is don't give anyone the root password on any of
your machines. Use sudo to give people root access. Create a policy that
says people cannot become root (sudo su, sudo csh, sudo ksh, etc...) or any
other user without permission, they will be subject to disciplinary actions
up to, and including, termination. Then setup syslog on all your machines to
log to a limited access system, and review your logs.

Yes, this is a lot of steps, and some of them are political. That's
unavoidable. Anyone with root access (via the root password, or with sudo
access) will have the ability to become another user and/or access files
that they shouldn't. If you have appropriate policies in place and educate
your users about expected privacy, you have done all you can. If it's a big
problem, review the logs and find an "example" to discipline.

Good luck.

- Jeff Nieusma <>
  Lead Security Engineer

> -----Original Message-----
> From: Neil Dickey []
> McGee Olson <> wrote asking:
> >So, the scenario goes like this. You have two users "joe" and "bob".
> >You have two machines "foo" and "bar". "foo" and "bar" both satisfy
> >(3) and (4) above, and each has a different root password. "joe" has
> >root on "foo", and "bob" has root on "bar". "joe" logs in as root on
> >"foo", and then he executes the line "su - bob". Now, "joe" is logged
> >in as "bob" and has all the permissions associated with the "bob"
> >account.
> >
> >Is there anyway to stop this from happening?
> I don't claim to be an expert, just a sysop for a number of years,
> but I don't think there's a way to do that with NFS. We've had a
> problem like this that involved violation of AUPs, rather like your
> hypothetical situation, and the only fix possible under the circum-
> stances was to eliminate the NFS connection, among a number of other
> things. Briefly stated, the offending machine was isolated from the
> rest of our network.
> The only other possible solutions, as I see it, are to replace "joe"
> with someone you can trust, or get rid of the "su" command, or both.
> These options were either not available or were insufficiently secure
> in our situation.
> If anyone has a better approach, I'd sure like to know it.

Relevant Pages