On Wednesday 08 May 2002 08:47 am, Thorsten Kukuk wrote:
On Wed, May 08, Alexandr Malusek wrote:
"Guy Van Sanden"
writes: But there's a quickly increasing number of Linux machines. And the idea has been raised to bring them in to the NIS domain (as users on each station should be able to see which other users own certain data in clearcase). The problem is that every Linux-user has root on his/her own station. So bringing them into NIS makes it easy for them to 'su' to any desired user, and perform actions as that user.
Can this in some way be blocked?
IMHO, it can't. Actually, this was one of the reasons why NIS+ was developed.
That is not correct. NIS+ can also not prevent root from doing an "su - <user>". You can never prevent root from doing this. The only question is, how many damange he can do. To prevent root from a client to read the data of this user, you need something like secureNFS. You cannot solve this with NIS, NIS+ or LDAP. root can always disable this service and create the account local.
Perhaps a better solution is to setup "sudo" on the systems instead of giving the users the root password itself. sudo (if set up properly!) automagically limits the scope of what the user can do as root, while still allowing the user to do some stuff as root. Just my $0.02 worth. -Nick