Fw: Re: NIS+ linux box root getting root master ???
Mauricio Brigato
mauricio at bit.fmrp.usp.br
Wed Nov 27 05:38:39 EST 2002
Please help:
I need urgently a solution for my matter.
I don't want my linux users make
a su - <another-user> of a NFS-solaris8-home directory on their linux
boxes.
I received some suggestions from Bob Edwards,Darel Hankerson,
Jesus Garcia and others (thanks a lot to everybody!!!).
I wouldn't like to revoke root access to all my users on the
Linux machines, as a first solution, cause I've tested
with a ordinary user and this one can make a su successfully
even as ordinary user. (Bob idea).
Darrel suggest me separate home directories and only export
some to the untrusted machines.
Let me see if I understood. The idea would be:
- to make a /home/user1 -> share for a IP1
- to make a /home/user2 -> share for a IP2
- to make a /home/usern -> share for a IPn ???
I've tried various tests:
- to share solaris /home with DES (AUTH_DES), mount_nfs, share_nfs without
solution for linux boxes;
- to change on Solaris the PAM modules in /etc/pamd.conf
for service name su, modules auth, account, session with the options
required, requisite and its variations and combinations without success.
Anyone could help me, please???
T.I.A.
Maurício
---------- Original Message -----------
From: Bob Edwards <Robert.Edwards at anu.edu.au>
To: Mauricio Brigato <mauricio at gordon.fmrp.usp.br>
Sent: Tue, 10 Sep 2002 09:40:51 +1000
Subject: Re: NIS+ linux box root getting root master ???
> Basically, this is not a NIS+ issue, but an NFS/Unix (su) issue,
> where NIS+ is possibly helping a bit.
>
> As soon as your NFS server exports home directories to your NFS clients
> (be they Linux, Solaris, Irix or whatever), then root on any of those
> client machines can mount those users home directories from the server.
> Remember, NFS stands for No File Security :-).
>
> The suggestion of using Secure RPC/NFS is one solution, but won't
> work with the Linux clients (last time I tried, anyway), and
> seriously impacts performance.
>
> Here at ANU in Australia, we use intermediate gateway machines
> between the NFS servers and the Linux clients (where we want the
> students to be able to log in as root). The gateways basically act
> as session-based authentication checkers and check the UID/GIDs of
> every NFS request from the clients to the server. This has been
> working well now for over 18 months. We can safely have our Linux
> lab machines mounting user home directories from the NFS servers.
> But it is complex to set up and I wouldn't recommend it for the
> average sys-admin.
>
> In the meantime, I recommend revoking root access to all your users
> on the Linux machines (you do this already for the Solaris clients,
> right?).
>
> Disabling "su" may also work, but anyone with root access can easily
> put it back in again (maybe even give it a different name to confuse
> someone who is checking).
>
> Cheers,
>
> Bob Edwards.
>
> Mauricio Brigato wrote:
> >
> > Thanks for everyone who answered it, specially to
> > Richard Dawe and Darrel Hankerson.
> > But, I'm still listening for suggestions..
> > Thanks for all.
> >
> > -------------------------------------------------------------
> > Mauricio Brigato
> > System Administrator - BIT - BioInformatic Team
> > Fundação Hemocentro de Ribeirão Preto
> > Phone: +55 16 3963-9300 Fax: +55 16 3963-9309
> > E-mail: mauricio at bit.fmrp.usp.br
> > Homepage: http://bit.fmrp.usp.br/
> > -------------------------------------------------------------
> >
> > ---------- Original Message -----------
> > From: Darrel Hankerson <hankedr at dms.auburn.edu>
> > To: mauricio at gordon.fmrp.usp.br
> > Sent: Mon, 9 Sep 2002 09:28:49 -0500
> > Subject: Re: NIS+ linux box root getting root master ???
> >
> > > Mauricio Brigato" <mauricio at gordon.fmrp.usp.br> writes:
> > >
> > > - I have a NIS+ server SUN. This is the main server of my net.
> > > (NFS, web, etc.) - I have 6 linux box (Red Hat 7.1/7.2/7.3,
> > > Slackware 8.1) and 4 Sun clients of NIS+, but servers.
> > >
> > > If I log as root on a linux box, and make a su - <user-of-home-
> > > NIS+> I got ok. But, how I block these user ? I don't want
> > > that my user on a linux box have access to all others users from
> > > my domain!
> > >
> > > If you don't trust root on the client machine, then you cannot export
> > > via ordinary NFS.
> > >
> > > Solaris has secure-NFS (which is easy to use once NIS+ is configured)
> > > , which gives limited protection. (At least root doesn't get
immediate
> > > access to ordinary user files from the NFS server, since a keylogin
> > > is required.) Linux does not have secure-NFS.
> > >
> > > As a practical solution, perhaps you can separate the home
> > > directories and only export some to the untrusted machines. This
> > > assumes that you have some confidence in root on the client.
> > >
> > > --Darrel Hankerson hankedr at auburn.edu
> > >
> > > ---------- Original Message -----------
> > > From: Darrel Hankerson <hankedr at dms.auburn.edu>
> > > To: mauricio at gordon.fmrp.usp.br
> > > Sent: Mon, 9 Sep 2002 08:50:47 -0500
> > > Subject: Re: NIS+ linux box root getting root master ???
> > >
> > > > > > I don't know why, every linux box which I put
> > > > > > on NIS+ got the privileges of root master with
> > > > > > linux box root login, via su - <user-of-home-nis+>.
> > > >
> > > > Depending on what you mean, this is expected. There is no
> > > keylogin, > so anything that requires credentials fails. But you
> > > will get access > to ordinary user files this way. > > --
> > > Darrel Hankerson hankedr at auburn.edu
> > > ------- End of Original Message -------
> > >
> > > mauricio at bit.fmrp.usp.br
> > ------- End of Original Message -------
> >
> > mauricio at bit.fmrp.usp.br
------- End of Original Message -------
mauricio at bit.fmrp.usp.br
------- End of Forwarded Message -------
-------------------------------------------------------------
Maurício Brigato
System Administrator - BIT - BioInformatic Team
Fundação Hemocentro de Ribeirão Preto
Phone: +55 16 3963-9300 (9603) Fax: +55 16 3963-9309
E-mail: mauricio at bit.fmrp.usp.br
Homepage: http://bit.fmrp.usp.br/
-------------------------------------------------------------
mauricio at bit.fmrp.usp.br
More information about the linux-nisplus
mailing list