Re: nfs, trusted users

From: Duncan Thomson (duncant@mitre.org)
Date: 10/10/02 

From: Duncan Thomson <duncant@mitre.org>
Date: Thu, 10 Oct 2002 14:10:17 -0400

Michael Zedler wrote:
>
> Hello,
>
> actually, a good idea that you have. But what happens if user b shall be
> able to work on the computer owned by a?

This reminds me of the joke about the guy who tells the doctor, "It hurts
when I do this". The doctor just replies, "Then don't do that!"

Of course, user a could sit down at user b's machine, log in, then telnet
(or ssh, or whatever) back to a's own machine, log in there, then plug away
fat and happy.

Duncan

>
> bye,
> Michael
>
> "Duncan Thomson" <duncant@mitre.org> schrieb im Newsbeitrag
> news:3DA57ADD.4BD8E829@mitre.org...
> > "A. Marshall" wrote:
> > >
> > > Michael Zedler wrote:
> > >
> > > > Hello,
> > > >
> > > > here we have a nfs/nis server that exports its shares to several
> > > > linux-pc's. The owners of these pc's have the root password, because
> a)
> > > > it's their pc b) they could become root by booting with a floppy and
> > > > overwriting the root password.
> > > > How can I prevent the following situation:
> > > > user alpha logs in, switches to root, switches to user beta without
> being
> > > > prompted for a password, now having read and write access to ~beta.
> > > > How can I avoid this problem with a server side solution? (I can not
> trust
> > > > the clients because anybody could become root with a floppy)
> > >
> > > How about using your exports lists to control
> > > what each workstation can mount. Restrict them to just their own
> > > directories.
> > > (OK, you need to modify fstab on the workstations too, but if the server
> > > won't
> > > offer the filesystem to them, they shouldn't be able to do too much
> damage)
> > >
> >
> > But he may want to allow users to access other's directories, just not
> > unrestricted read/write access.
> >
> > So, how about this: As suggested above, use your exports list to allow
> > specific machines to mount specific directories. (i.e. export joe's
> directory
> > only to joe's machine.) Then, if you want joe to also be able to access
> other
> > user's directories, also access these directories to joe, but use nfs user
> ID
> > mapping (all squash option), so that NO MATTER WHAT uid and gid joe uses
> when
> > he tries to access those directories, on the server machine he only gets
> > access as anonuid and anongid. Users can then set file access permission
> as
> > desired to allow or prevent read/write/execute permission by
> anonuid/anongid.
> >
> > If you have a lot of users your exports configuration may get a bit messy,
> but
> > I think this should work.
> >
> > Duncan

Quantcast