Re: nfs, trusted users

From: Duncan Thomson (duncant@mitre.org)
Date: 10/10/02 

From: Duncan Thomson <duncant@mitre.org>
Date: Thu, 10 Oct 2002 09:04:29 -0400

"A. Marshall" wrote:
>
> Michael Zedler wrote:
>
> > Hello,
> >
> > here we have a nfs/nis server that exports its shares to several
> > linux-pc's. The owners of these pc's have the root password, because a)
> > it's their pc b) they could become root by booting with a floppy and
> > overwriting the root password.
> > How can I prevent the following situation:
> > user alpha logs in, switches to root, switches to user beta without being
> > prompted for a password, now having read and write access to ~beta.
> > How can I avoid this problem with a server side solution? (I can not trust
> > the clients because anybody could become root with a floppy)
>
> How about using your exports lists to control
> what each workstation can mount. Restrict them to just their own
> directories.
> (OK, you need to modify fstab on the workstations too, but if the server
> won't
> offer the filesystem to them, they shouldn't be able to do too much damage)
>

But he may want to allow users to access other's directories, just not
unrestricted read/write access.

So, how about this: As suggested above, use your exports list to allow
specific machines to mount specific directories. (i.e. export joe's directory
only to joe's machine.) Then, if you want joe to also be able to access other
user's directories, also access these directories to joe, but use nfs user ID
mapping (all squash option), so that NO MATTER WHAT uid and gid joe uses when
he tries to access those directories, on the server machine he only gets
access as anonuid and anongid. Users can then set file access permission as
desired to allow or prevent read/write/execute permission by anonuid/anongid.

If you have a lot of users your exports configuration may get a bit messy, but
I think this should work.

Duncan

Relevant Pages

  • Re: nfs, trusted users
    ... Michael Zedler wrote: ... The owners of these pc's have the root password, ... > How can I avoid this problem with a server side solution? ... How about using your exports lists to control ...
    (comp.os.linux.security)
  • RFX Networks/ RackAdmin.com ALERT
    ... below was posted to some security websites. ... | in security and scalable server management on varying levels. ... Got Root? ... Your Server login ID is: ...
    (comp.os.linux)
  • RFX NETWORKS ALERT
    ... below was posted to some security websites. ... | in security and scalable server management on varying levels. ... Got Root? ... Your Server login ID is: ...
    (alt.linux)
  • Solaris Sparc 9 12/3 Core ./installer failing due Java?
    ... system SUNWadmr System & Network Administration Root ... system SUNWapchd Apache Web Server Documentation ... system SUNWapchu Apache Web Server (usr) ... system SUNWaudd Audio Drivers ...
    (comp.unix.solaris)
  • core install of Solaris 9 (sparc) package list can be trimmed ?
    ... This is a server that will have very specific reasons ... system SUNWadmr System & Network Administration Root ... system SUNWeu8os American English/UTF-8 L10N For OS Environment User Files ... system R SUNWfcip Sun FCIP IP/ARP over FibreChannel Device Driver ...
    (comp.unix.solaris)