Re: NFS Security Question

From: Jan-Philip Velders (jpv@jpv.xs4all.nl)
Date: 08/15/01 

Date: Wed, 15 Aug 2001 21:11:52 +0200 (CEST)
From: Jan-Philip Velders <jpv@jpv.xs4all.nl>
To: Åke Nordin <moose@ecsoft.se>
Subject: Re: NFS Security Question
Message-ID: <Pine.LNX.4.05.10108152052410.28095-100000@jp-gp.vsi.nl>

> Date: Wed, 15 Aug 2001 01:41:41 +0200
> From: Åke Nordin <moose@ecsoft.se>
> Subject: Re: NFS Security Question

> I fail to see how this works...

:(

> >If user 'joe' works on 'foo', his homedirectory is shared to a
> >netgroup (which contains hosts for which the root password is only
> >known to us, i.e. hosts we 'control'), and for the machine 'foo'.

> >If the users wishes that his homedirectory is also shared to other
> >hosts, he has to request that and explain why he wants his
> >homedirectory to be available on another system. (e.g. 'bar', because
> >he frequently uses that machine because of the software 'bob' has
> >installed there)

> If I understand you right, then this means that you deny 'joe' access to
> his NFS home on 'bar' and 'bob' access to his NFS home on 'foo'. When
> root (i .e. 'joe' with euid=0) su - 'bob' he accordingly just gets the
> system-wide default login enviroment and a CWD of '/' on 'foo'. Doesn't
> this mean that he (now with 'bob's euid) still may rlogin to 'bar',
> getting 'bob's NFS home as CWD, fully readable/writable (i. e. 'joe'
> on 'foo' has "become" 'bob' on 'bar') ?

Hm... I don't see why 'bob' (='joe') on 'foo' is able to rlogin to
'bar', but I'd might need to clarify a bit:

hosts:
* foo (installed by joe, root=joe)
* bar (installed by bob, root=bob)
* huey (installed by IT-dept, root=IT-dept)

The homedirectories of both 'joe' and 'bob' are shared to huey
(because huey.x.y.z is in the netgroup to which all homedirs are
shared). The homedirectory of 'joe' is also shared to host 'foo', and
that of 'bob' to 'bar'.

If 'joe' does a 'su - bob' on 'foo', he'll end up in / (or depending
on some settings it might fail...). If 'bob' on 'foo' (in reality
'joe') executes a 'rlogin -l bob bar' or a 'rlogin -l bob huey', both
'bar' and 'huey' will consult ~bob/.rhosts to see if a user 'bob' on
'foo' is allowed.

Under normal circumstances the real user 'bob' would never put an
entry 'foo bob' into ~bob/.rhosts. If on the other hand 'bob' has put
such an entry in, user 'bob' has messed up. The same as when he's done
a 'chmod -R 0777 ~bob'. As an IT-department you can't prohibit that.
You also need to rely on a bit of knowledge at the users end.
(note: I work in an environment with Math and CS scientists, and both
categories range from near-UNIX-newbies to 'power users')

Also the number of self-administrated hosts is some 50 to 100 (it
varies as machines are replaced etc.), on a total of 300 to 400
workstations.

It's a bit uncomfortable that many users won't be able to logon to a
machine which isn't under our (IT-dept.) control, but then again, we
allow the people who need those facilities to work, but also provide
enough measure against abuse...

For the future we're also disallowing NFS 'crossmounts' from one
workgroup to another workgroup (except for a bunch of central or
public machines). We can make exceptions, but then the user is aware
of the impact, and waives us from the repsonsibilaty of preventing
unauthorized access to his data on machines not under our control...

Greetings,
J.-Ph. Velders

Quantcast