REPEAT: hasn't anyone used smbclient linux->linux?
Paul L. Lussier
plussier at ne.arris-i.com
Thu Oct 21 13:03:37 GMT 1999
In a message dated: Thu, 21 Oct 1999 07:02:55 +1000
Andreas Hasenack said:
>Em qua, 20 out 1999, Paul L. Lussier escreveu:
>
>I think I agree with you. I just don't like the concept that, with the root
>password of a *client* machine, one can su to any local user and thus
>invalidate the user authentication part. OK, one shouldn't give the root
>password away, but I don't like this concept: a client machine being able to
>look at any file (but root owned ones) on a *server* machine.
True, which is why netgroups comes in so handy.
As you pointed out, you shouldn't give root access out to anyone, and even if
you don't, that doesn't prevent someone from walking in with a laptop, or
installing linux (or other version of Unix) on their system, and gaining root
access that way. Netgroups can allow you to export filesystems to only those
groups of machines you want to give access. Of course, this also doesn't
prevent someone from crashing an allowed host on the network, and then
configuring their system as that host in order to mount the filesystems, then
su'ing to some user to access some files. No matter what you do, though,
there's always a way around it.
NFS isn't the most secure of protocols, but neither is SMB. In fact, I'd say
that NFS is more secure than SMB, and it is a whole lot more stable. And as
much network traffic as NFS creates, SMD is a whole lot worse. If you really
that concerned about protecting your data from unauthorized access, you should
probably consider using one of the ACL packages and combine that with an
encrypted filesystem. Nothing short of that will really keep prying eyes from
your data.
Another question you should ask is, who around here really knows how to get
around NFS security? I've got some brilliant network protocol developers that
work here on my network, but ask them to check the permissions on their own
files, and they're completely baffled :) Also, if you find that you being
forced into giving out root access for some reason or other, look into using
sudo. It allows you to create and ACL for various commands that need to be
run as root and you can allow exactly only what the user really needs to run
and when and where they can run it. I use this extensively here, and no one
but the sysadmin team knows the root password for anything on our network.
--
Seeya,
Paul
----
Depression is merely anger without enthusiasm.
There cannot be a crisis today; my schedule is already full.
A conclusion is simply the place where you got tired of thinking.
If you're not having fun, you're not doing it right!
More information about the samba
mailing list