Fw: Re: NIS+ linux box root getting root master ???

Mauricio Brigato mauricio at bit.fmrp.usp.br
Wed Nov 27 05:39:11 EST 2002


Please help:  
  
 I need urgently a solution for my matter.  
 I don't want my linux users make  
 a su -  <another-user> of a NFS-solaris8-home directory on their linux  
boxes.  
 I received some suggestions from Bob Edwards,Darel Hankerson,  
 Jesus Garcia and others (thanks a lot to everybody!!!).  
  
 I wouldn't like to revoke root access to all my users on the  
 Linux machines, as a first solution, cause I've tested  
 with a ordinary user and this one can make a su successfully   
 even as ordinary user. (Bob idea).  
  
 Darrel suggest me separate home directories and only export  
 some to the untrusted machines.  
 Let me see if I understood. The idea would be:  
 - to make a /home/user1 -> share for a IP1  
 - to make a /home/user2 -> share for a IP2  
 - to make a /home/usern -> share for a IPn ???  
  
I've tried various tests:  
- to share solaris /home with DES (AUTH_DES), mount_nfs, share_nfs without 
solution for linux boxes; 
- to change on Solaris the PAM modules in /etc/pamd.conf 
for service name su, modules auth, account, session with the options 
required, requisite and its variations and combinations without success. 
 
Anyone could help me, please??? 
T.I.A. 
 
Maurício  
  
---------- Original Message -----------  
From: Bob Edwards <Robert.Edwards at anu.edu.au>  
To: Mauricio Brigato <mauricio at gordon.fmrp.usp.br>  
Sent: Tue, 10 Sep 2002 09:40:51 +1000  
Subject: Re: NIS+ linux box root getting root master ???  
  
> Basically, this is not a NIS+ issue, but an NFS/Unix (su) issue,   
> where NIS+ is possibly helping a bit.  
>   
> As soon as your NFS server exports home directories to your NFS clients  
> (be they Linux, Solaris, Irix or whatever), then root on any of those  
> client machines can mount those users home directories from the server.  
> Remember, NFS stands for No File Security :-).  
>   
> The suggestion of using Secure RPC/NFS is one solution, but won't   
> work with the Linux clients (last time I tried, anyway), and   
> seriously impacts performance.  
>   
> Here at ANU in Australia, we use intermediate gateway machines   
> between the NFS servers and the Linux clients (where we want the   
> students to be able to log in as root). The gateways basically act   
> as session-based authentication checkers and check the UID/GIDs of   
> every NFS request from the clients to the server. This has been   
> working well now for over 18 months. We can safely have our Linux   
> lab machines mounting user home directories from the NFS servers.   
> But it is complex to set up and I wouldn't recommend it for the   
> average sys-admin.  
>   
> In the meantime, I recommend revoking root access to all your users   
> on the Linux machines (you do this already for the Solaris clients,  
>  right?).  
>   
> Disabling "su" may also work, but anyone with root access can easily   
> put it back in again (maybe even give it a different name to confuse   
> someone who is checking).  
>   
> Cheers,  
>   
> Bob Edwards.  
>   
> Mauricio Brigato wrote:  
> >  
> > Thanks for everyone who answered it, specially to  
> > Richard Dawe and Darrel Hankerson.  
> > But, I'm still listening for suggestions..  
> > Thanks for all.  
> >  
> > -------------------------------------------------------------  
> >       Mauricio Brigato  
> >       System Administrator - BIT - BioInformatic Team  
> >       Fundação Hemocentro de Ribeirão Preto  
> >       Phone: +55 16 3963-9300    Fax: +55 16 3963-9309  
> >       E-mail: mauricio at bit.fmrp.usp.br  
> >       Homepage: http://bit.fmrp.usp.br/  
> > -------------------------------------------------------------  
> >  
> > ---------- Original Message -----------  
> > From: Darrel Hankerson <hankedr at dms.auburn.edu>  
> > To: mauricio at gordon.fmrp.usp.br  
> > Sent: Mon, 9 Sep 2002 09:28:49 -0500  
> > Subject: Re: NIS+ linux box root getting root master ???  
> >  
> > > Mauricio Brigato" <mauricio at gordon.fmrp.usp.br> writes:  
> > >  
> > >    - I have a NIS+ server SUN. This is the main server of my net.  
> > > (NFS, web,   etc.)   - I have 6 linux box (Red Hat 7.1/7.2/7.3,  
> > >  Slackware 8.1) and 4 Sun   clients of NIS+, but servers.  
> > >  
> > >    If I log as root on a linux box, and make a su - <user-of-home-  
> > > NIS+> I got   ok.   But, how I block these user ?   I don't want  
> > > that my user on a linux box have access to all others users   from  
> > > my domain!  
> > >  
> > > If you don't trust root on the client machine, then you cannot export  
> > > via ordinary NFS.  
> > >  
> > > Solaris has secure-NFS (which is easy to use once NIS+ is configured)  
> > > , which gives limited protection.  (At least root doesn't get  
immediate  
> > > access to ordinary user files from the NFS server, since a keylogin  
> > > is required.)  Linux does not have secure-NFS.  
> > >  
> > > As a practical solution, perhaps you can separate the home  
> > > directories and only export some to the untrusted machines.  This  
> > > assumes that you have some confidence in root on the client.  
> > >  
> > > --Darrel Hankerson hankedr at auburn.edu  
> > >  
> > >    ---------- Original Message -----------  
> > >    From: Darrel Hankerson <hankedr at dms.auburn.edu>  
> > >    To: mauricio at gordon.fmrp.usp.br  
> > >    Sent: Mon, 9 Sep 2002 08:50:47 -0500  
> > >    Subject: Re: NIS+ linux box root getting root master ???  
> > >  
> > >    > > > I don't know why, every linux box which I put  
> > >    >    > > on NIS+ got the privileges of root master with  
> > >    >    > > linux box root login, via su - <user-of-home-nis+>.  
> > >    >  
> > >    > Depending on what you mean, this is expected.  There is no  
> > > keylogin,   > so anything that requires credentials fails.  But you  
> > > will get access   > to ordinary user files this way.   >   > --  
> > > Darrel Hankerson hankedr at auburn.edu  
> > >    ------- End of Original Message -------  
> > >  
> > >    mauricio at bit.fmrp.usp.br  
> > ------- End of Original Message -------  
> >  
> > mauricio at bit.fmrp.usp.br  
------- End of Original Message -------  
  
mauricio at bit.fmrp.usp.br  
------- End of Forwarded Message -------  
  
  
-------------------------------------------------------------  
      Maurício Brigato  
      System Administrator - BIT - BioInformatic Team  
      Fundação Hemocentro de Ribeirão Preto  
      Phone: +55 16 3963-9300 (9603)   Fax: +55 16 3963-9309  
      E-mail: mauricio at bit.fmrp.usp.br  
      Homepage: http://bit.fmrp.usp.br/  
-------------------------------------------------------------  
mauricio at bit.fmrp.usp.br




More information about the linux-nisplus mailing list