Hello Keith
The problem is indeed the NFS shares.
The're root_squashed, that's OK.
The problem is that a user who's root on a NIS-client can do 'su' to any user
he wants to, without having his password. He than can perform actions, or read
files as that other user.
I'd like to find some way of preventing that those users get access to everybody's
data, simply by su'ing to root, and then to any user of their choice.
Thanks
Guy
On Wed, 8 May 2002 07:40:23 -0400 Keith Winston
wrote regarding Re: [SLE] [OT] NIS Security:
KW> On Wed, May 08, 2002 at 03:39:17AM -0700, Guy Van Sanden wrote:
KW> > I'm wrestling with a NIS issue.
KW> > My company has NIS implemented for a Solaris network. Each of the
Solaris servers KW> > and stations is managed by a central IT department.
KW> >
KW> > But there's a quickly increasing number of Linux machines. And the
idea has KW> > been raised to bring them in to the NIS domain (as users on
each station should KW> > be able to see which other users own certain
data in clearcase). KW> > The problem is that every Linux-user has root on
his/her own station. So bringing KW> > them into NIS makes it easy for
them to 'su' to any desired user, and perform KW> > actions as that user.
KW> >
KW> > Can this in some way be blocked?
KW>
KW> I'm not sure I understand your issue. If the NIS database is managed
by KW> central IT, then the passwords for NIS users is stored on the NIS
KW> servers. Using su to a local user will not give the linux users any
KW> special rights on the network (the local user will not have the rights
KW> of a similarly named user in a netgroup, for example). If you are
KW> sharing data over NFS, then root_squash on the NFS exports will
prevent KW> tampering from linux root users. It would be possible for a
linux user KW> to download the NIS passwd file and try to crack the
passwords, but that KW> is a risk with any NIS installation.
KW>
KW> Best Regards,
KW> Keith
KW> --
KW> LPIC-2, MCSE, N+
KW> Got spam? Get spastic http://spastic.sourceforge.net
KW>
KW> --
KW> To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com
KW> For additional commands send e-mail to suse-linux-e-help@suse.com
KW> Also check the archives at http://lists.suse.com
KW>
KW>
_______________________________________________________________
Get Your FREE FlashMail Address now at http://www.flashmail.com
It's Free, Easy, & Fun !!!