Re: nfs, trusted users

From: Michael Zedler (michael.zedler@post.rwth-aachen.de)
Date: 10/10/02 

From: "Michael Zedler" <michael.zedler@post.rwth-aachen.de>
Date: Thu, 10 Oct 2002 17:35:24 +0200

Hello,

actually, a good idea that you have. But what happens if user b shall be
able to work on the computer owned by a?

bye,
Michael

"Duncan Thomson" <duncant@mitre.org> schrieb im Newsbeitrag
news:3DA57ADD.4BD8E829@mitre.org...
> "A. Marshall" wrote:
> >
> > Michael Zedler wrote:
> >
> > > Hello,
> > >
> > > here we have a nfs/nis server that exports its shares to several
> > > linux-pc's. The owners of these pc's have the root password, because
a)
> > > it's their pc b) they could become root by booting with a floppy and
> > > overwriting the root password.
> > > How can I prevent the following situation:
> > > user alpha logs in, switches to root, switches to user beta without
being
> > > prompted for a password, now having read and write access to ~beta.
> > > How can I avoid this problem with a server side solution? (I can not
trust
> > > the clients because anybody could become root with a floppy)
> >
> > How about using your exports lists to control
> > what each workstation can mount. Restrict them to just their own
> > directories.
> > (OK, you need to modify fstab on the workstations too, but if the server
> > won't
> > offer the filesystem to them, they shouldn't be able to do too much
damage)
> >
>
> But he may want to allow users to access other's directories, just not
> unrestricted read/write access.
>
> So, how about this: As suggested above, use your exports list to allow
> specific machines to mount specific directories. (i.e. export joe's
directory
> only to joe's machine.) Then, if you want joe to also be able to access
other
> user's directories, also access these directories to joe, but use nfs user
ID
> mapping (all squash option), so that NO MATTER WHAT uid and gid joe uses
when
> he tries to access those directories, on the server machine he only gets
> access as anonuid and anongid. Users can then set file access permission
as
> desired to allow or prevent read/write/execute permission by
anonuid/anongid.
>
> If you have a lot of users your exports configuration may get a bit messy,
but
> I think this should work.
>
> Duncan

Relevant Pages

  • Re: nfs, trusted users
    ... Michael Zedler wrote: ... >>> How about using your exports lists to control ... if you want joe to also be able to access ... >> access as anonuid and anongid. ...
    (comp.os.linux.security)
  • Re: Newbie on STS
    ... FP gives me an error that all navigation will not be ... images show up in WSS and the Navigation. ... >Hi Joe, ... >the root web. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: ELF loading
    ... If Joe doesn't get root priviliges, ... Some 'bot that Ubuntu installed? ... Joe can easily shoot himself in the foot as root - but it's *his* foot! ...
    (alt.lang.asm)
  • Re: searching recursively through directories
    ... Joe wrote: ... > I am writing some code to locate files in a given root ... > directory and its subdirectories. ...
    (microsoft.public.vb.general.discussion)
  • Re: [SLE] ZIP Drive on Parallel port in SuSE 10.0 Boxed Ed.
    ... >> Kate in Kubuntu - while logged in as either su or root. ... > user name (su joe) you will change your identity to joe. ... > root and also use root's login environment. ... In Ubuntu/Kubuntu su is the Super User log in that you use to access ...
    (SuSE)