Re: NFS NIS and security

From: Juha Laiho (
Date: 05/24/02

From: Juha Laiho <>
Date: Fri, 24 May 2002 19:07:01 GMT

Ramamurthy Badrinath <> said:
>I have a unix file server and wish to export some directories to a
>client, sharing the NIS domain qith thw server.


>It seems that a superuser on the client machine can su to an arbitrary
>NIS account, without providing password. So the root on the client has
>access to all the directories exported from the server to this client.


>Isn't this a security risk, if I have no control over the superuser on
>the client?

It is. NFS and NIS are intended for use only in scenarios where the root
account on all the machines is controlled by the same person/group. If
a local user at a NFS client has root access, much of the security is
lost. Also, depending on the setup, NFS client can be compromised by
having root account on the NFS server (when only having a non-root
account on the client).

>Is there a way around this?

Not with NFS. There are filesystems that address these problems (among
others), but they're not in widespread use. If you truly need these,
read up on AFS and DFS.

Wolf  a.k.a.  Juha Laiho     Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

