Re: NFS Security Question

From: Jan-Philip Velders (jpv@jpv.xs4all.nl)
Date: 08/14/01


Date: Tue, 14 Aug 2001 23:40:09 +0200 (CEST)
From: Jan-Philip Velders <jpv@jpv.xs4all.nl>
To: McGee Olson <molson@crystal.cirrus.com>
Subject: Re: NFS Security Question
Message-ID: <Pine.LNX.4.05.10108142320540.30350-100000@jp-gp.vsi.nl>


> Date: Mon, 13 Aug 2001 12:06:49 -0500 (CDT)
> From: McGee Olson <molson@crystal.cirrus.com>
> Subject: NFS Security Question

> Here is an example of what I am trying to figure out:
> 1) You have an NIS server providing logins & passwords
> 2) You have an NFS server which houses user directories
> 3) Each workstation authenticates via NIS
> 4) Each workstation mounts the home directories via NFS

maybe I can give some examples from my/our situation at work.
points 1 through 4 are matched...

> So, the scenario goes like this. You have two users "joe" and "bob".
> You have two machines "foo" and "bar". "foo" and "bar" both satisfy
> (3) and (4) above, and each has a different root password. "joe" has
> root on "foo", and "bob" has root on "bar". "joe" logs in as root on
> "foo", and then he executes the line "su - bob". Now, "joe" is logged
> in as "bob" and has all the permissions associated with the "bob"
> account.

That's something we also have been thinking about. But you'd might
want to ask yourself, why does one need root, and who is 'in control'
of a machine ?

In our situation, we have Solaris 2.6 (and hopefully soon all Solaris
8) and Linux (RedHat 6.x & 7.x various installs) desktops and Solaris
8 servers. Notably many Linux machines have seperate root-accounts for
a couple of users.

Most of those machines were set-up by those users, and were never
installed by us (the IT-dept.). Those machines are called more or less
'self-service' systems. That is, we don't install software on them,
don't have the root password etc.

> Is there anyway to stop this from happening?

We decided to do it at the NFS layer.

If user 'joe' works on 'foo', his homedirectory is shared to a
netgroup (which contains hosts for which the root password is only
known to us, i.e. hosts we 'control'), and for the machine 'foo'.

If the users wishes that his homedirectory is also shared to other
hosts, he has to request that and explain why he wants his
homedirectory to be available on another system. (e.g. 'bar', because
he frequently uses that machine because of the software 'bob' has
installed there)

It's a bit more work because you have to share each homedirectory
seperately, but it allows us to effectively control what is available
to systems we don't have 'control' over...

(control is meant in a more 'sysadmin' way... e.g. we installed it and
perform maintenance updates etc.)

We're in the midst of setting up a similar thing with SAMBA for
Windows NT4 clients... (and having the SAMBA servers do authentication
against our [WinNT4] PDC...) Only problem sofar has been the
differentation between UNIX and NT usernames (we don't want to map
them, we want them to be one-on-one)

> Thanks,
> McGee

Greetings,
J.-Ph. Velders