On Wed, May 08, Alexandr Malusek wrote:
"Guy Van Sanden"
writes: But there's a quickly increasing number of Linux machines. And the idea has been raised to bring them in to the NIS domain (as users on each station should be able to see which other users own certain data in clearcase). The problem is that every Linux-user has root on his/her own station. So bringing them into NIS makes it easy for them to 'su' to any desired user, and perform actions as that user.
Can this in some way be blocked?
IMHO, it can't. Actually, this was one of the reasons why NIS+ was developed.
That is not correct. NIS+ can also not prevent root from doing an "su - <user>". You can never prevent root from doing this. The only question is, how many damange he can do. To prevent root from a client to read the data of this user, you need something like secureNFS. You cannot solve this with NIS, NIS+ or LDAP. root can always disable this service and create the account local. Thorsten -- Thorsten Kukuk http://www.suse.de/~kukuk/ kukuk@suse.de SuSE Linux AG Deutschherrnstr. 15-19 D-90429 Nuernberg -------------------------------------------------------------------- Key fingerprint = A368 676B 5E1B 3E46 CFCE 2D97 F8FD 4E23 56C6 FB4B