Fw: Re: NIS+ linux box root getting root master ???

Bob Edwards Robert.Edwards at anu.edu.au
Wed Nov 27 08:11:17 EST 2002 

Mauricio Brigato wrote:
> Please help:  
>   
>  I need urgently a solution for my matter.  
>  I don't want my linux users make  
>  a su -  <another-user> of a NFS-solaris8-home directory on their linux  
> boxes.  
>  I received some suggestions from Bob Edwards,Darel Hankerson,  
>  Jesus Garcia and others (thanks a lot to everybody!!!).  
>   
>  I wouldn't like to revoke root access to all my users on the  
>  Linux machines, as a first solution, cause I've tested  
>  with a ordinary user and this one can make a su successfully   
>  even as ordinary user. (Bob idea).  
>

This is a problem. No user should ever be able to su to another user without 
having to supply a password. If I read this correctly, you are saying that any 
user on your Linux machines can su to any other user without a password - if 
so, there is something seriously broken in your setup. Check your PAM 
configuration and the credentials on your NIS+ server for your Linux clients.

>  Darrel suggest me separate home directories and only export  
>  some to the untrusted machines.  
>  Let me see if I understood. The idea would be:  
>  - to make a /home/user1 -> share for a IP1  
>  - to make a /home/user2 -> share for a IP2  
>  - to make a /home/usern -> share for a IPn ???  
>

This will work (if you do it properly), but will become harder to administer 
as you add more users, more Linux clients and possibly more servers (ie. it 
won't scale very well).

> I've tried various tests:  
> - to share solaris /home with DES (AUTH_DES), mount_nfs, share_nfs without 
> solution for linux boxes; 
> - to change on Solaris the PAM modules in /etc/pamd.conf 
> for service name su, modules auth, account, session with the options 
> required, requisite and its variations and combinations without success. 
> 

I don't understand what either of these "tests" are actually trying to solve 
in the context of your initial problem with NFS to the Linux machines.

Please be aware that this issue has almost nothing to do with NIS+ (and so, 
rightly, shouldn't live on this list). It is a pure NFS permissions problem.

My recommendation, in the first instance, is to revoke root access to your 
Linux users (ie. change the root password and don't allow them to log in as 
root). There are still many ways for people to thwart the NFS security issue, 
but at least they will then need to be determined and hence possibly draw 
attention to themselves.

Cheers,

Bob Edwards.

More information about the linux-nisplus mailing list