RE: NFS Security Question

From: Darren Moffat (Darren.Moffat@eng.sun.com)
Date: 08/13/01


Message-Id: <200108132121.f7DLLoB783162@jurassic.eng.sun.com>
Date: Mon, 13 Aug 2001 14:20:33 -0700 (PDT)
From: Darren Moffat <Darren.Moffat@eng.sun.com>
Subject: RE: NFS Security Question
To: molson@crystal.cirrus.com, rick.devey@unisys.com


>I would recommend that you remove the su command or remove root access all
>together and use either rbac or sudo for the execution of root commands and
>not allow people to su to specific users. I currently don't allow any su

Don't remove su if you intend to use RBAC with roles since su is how
you assume a role.

You can also assign the privelged commands directly to the user and
give them one of the profile shells, but using roles is much easier to
manage and forces a concious action on the user about what they are doing
as whom and why.

>access but use NFS for home directories. I give users the ability to
>execute commands as root with "sudo" but they never actually become root.
>So in you example Joe could never become bob but would still be able to do
>his job.

This assumes that you as an admin actually have control of all the
client machines, this might not be the case. In today's world of VPNs
and working from home it is quite likely that the client machine is in
the users control not the control of the same people who run the file servers.

The correct and only safe solution is to use Secure RPC with AUTH_DES (aka
AUTH_DH) or RPCSEC_GSS with Kerberos - see my other post for more details.

--
Darren J Moffat



Relevant Pages

  • Re: [kde-linux] KDE 4 and monitor powering off.
    ... I changed it so that it would run as root since I have to ... I have sudo configured so my normal user has very limited access (some ... commands, with specific parameters. ... The admin user has full passwordless access to do everything root could ...
    (KDE)
  • Re: use sudo without having to type password?
    ... > There are lots of very valid reasons for having password-less sudo ... > commands available. ... >> If you have to do anything as root, you should have to type a password ... It should stand as a warning that they're about to ...
    (alt.os.linux)
  • Re: Change Permissions on a new hard drive to allow write...Problem Solved
    ... Please tell how I could have solved the problem without logging in as ... You'd use sudo or one of its graphical derivatives, ... Those three commands could have been used to do everything you did ... logging in as root. ...
    (Ubuntu)
  • RE: Linux auditing checklist, documents
    ... Edit the hosts.deny file and add the following lines: ... Disallow root login from different consoles ... number of commands and delete it on logout of the user. ... By default, when you login to a Linux box, it tells you the Linux ...
    (Security-Basics)
  • RE: Linux auditing checklist, documents
    ... Edit the hosts.deny file and add the following lines: ... Disallow root login from different consoles ... number of commands and delete it on logout of the user. ... By default, when you login to a Linux box, it tells you the Linux ...
    (Security-Basics)