On Wed, May 08, 2002 at 03:39:17AM -0700, Guy Van Sanden wrote:
I'm wrestling with a NIS issue. My company has NIS implemented for a Solaris network. Each of the Solaris servers and stations is managed by a central IT department.
But there's a quickly increasing number of Linux machines. And the idea has been raised to bring them in to the NIS domain (as users on each station should be able to see which other users own certain data in clearcase). The problem is that every Linux-user has root on his/her own station. So bringing them into NIS makes it easy for them to 'su' to any desired user, and perform actions as that user.
Can this in some way be blocked?
I'm not sure I understand your issue. If the NIS database is managed by central IT, then the passwords for NIS users is stored on the NIS servers. Using su to a local user will not give the linux users any special rights on the network (the local user will not have the rights of a similarly named user in a netgroup, for example). If you are sharing data over NFS, then root_squash on the NFS exports will prevent tampering from linux root users. It would be possible for a linux user to download the NIS passwd file and try to crack the passwords, but that is a risk with any NIS installation. Best Regards, Keith -- LPIC-2, MCSE, N+ Got spam? Get spastic http://spastic.sourceforge.net