Fw: Re: NIS+ linux box root getting root master ???

Simon Xu simon.xu at motorola.com
Wed Nov 27 12:50:26 EST 2002 

Hi,

I'm not 100% understand your problem.
But I don't have any similar problems like:
- no user can su to another user without password
  (except root) in linux client. only root can su to any user
  without password. It's also true on other
  unix like Sun Solaris.
- if a user's home dir is one the server, the root
  on the linux client can't access the home dir if
  you don't share the file system for root access
  explicitly.

Mauricio Brigato wrote:
> 
> Please help:
> 
>  I need urgently a solution for my matter.
>  I don't want my linux users make
>  a su -  <another-user> of a NFS-solaris8-home directory on their linux
> boxes.
>  I received some suggestions from Bob Edwards,Darel Hankerson,
>  Jesus Garcia and others (thanks a lot to everybody!!!).
> 
>  I wouldn't like to revoke root access to all my users on the
>  Linux machines, as a first solution, cause I've tested
>  with a ordinary user and this one can make a su successfully
>  even as ordinary user. (Bob idea).
> 
>  Darrel suggest me separate home directories and only export
>  some to the untrusted machines.
>  Let me see if I understood. The idea would be:
>  - to make a /home/user1 -> share for a IP1
>  - to make a /home/user2 -> share for a IP2
>  - to make a /home/usern -> share for a IPn ???
> 
> I've tried various tests:
> - to share solaris /home with DES (AUTH_DES), mount_nfs, share_nfs without
> solution for linux boxes;
> - to change on Solaris the PAM modules in /etc/pamd.conf
> for service name su, modules auth, account, session with the options
> required, requisite and its variations and combinations without success.
> 
> Anyone could help me, please???
> T.I.A.
> 
> Maurício
> 
> ---------- Original Message -----------
> From: Bob Edwards <Robert.Edwards at anu.edu.au>
> To: Mauricio Brigato <mauricio at gordon.fmrp.usp.br>
> Sent: Tue, 10 Sep 2002 09:40:51 +1000
> Subject: Re: NIS+ linux box root getting root master ???
> 
> > Basically, this is not a NIS+ issue, but an NFS/Unix (su) issue,
> > where NIS+ is possibly helping a bit.
> >
> > As soon as your NFS server exports home directories to your NFS clients
> > (be they Linux, Solaris, Irix or whatever), then root on any of those
> > client machines can mount those users home directories from the server.
> > Remember, NFS stands for No File Security :-).
> >
> > The suggestion of using Secure RPC/NFS is one solution, but won't
> > work with the Linux clients (last time I tried, anyway), and
> > seriously impacts performance.
> >
> > Here at ANU in Australia, we use intermediate gateway machines
> > between the NFS servers and the Linux clients (where we want the
> > students to be able to log in as root). The gateways basically act
> > as session-based authentication checkers and check the UID/GIDs of
> > every NFS request from the clients to the server. This has been
> > working well now for over 18 months. We can safely have our Linux
> > lab machines mounting user home directories from the NFS servers.
> > But it is complex to set up and I wouldn't recommend it for the
> > average sys-admin.
> >
> > In the meantime, I recommend revoking root access to all your users
> > on the Linux machines (you do this already for the Solaris clients,
> >  right?).
> >
> > Disabling "su" may also work, but anyone with root access can easily
> > put it back in again (maybe even give it a different name to confuse
> > someone who is checking).
> >
> > Cheers,
> >
> > Bob Edwards.
> >
> > Mauricio Brigato wrote:
> > >
> > > Thanks for everyone who answered it, specially to
> > > Richard Dawe and Darrel Hankerson.
> > > But, I'm still listening for suggestions..
> > > Thanks for all.
> > >
> > > -------------------------------------------------------------
> > >       Mauricio Brigato
> > >       System Administrator - BIT - BioInformatic Team
> > >       Fundação Hemocentro de Ribeirão Preto
> > >       Phone: +55 16 3963-9300    Fax: +55 16 3963-9309
> > >       E-mail: mauricio at bit.fmrp.usp.br
> > >       Homepage: http://bit.fmrp.usp.br/
> > > -------------------------------------------------------------
> > >
> > > ---------- Original Message -----------
> > > From: Darrel Hankerson <hankedr at dms.auburn.edu>
> > > To: mauricio at gordon.fmrp.usp.br
> > > Sent: Mon, 9 Sep 2002 09:28:49 -0500
> > > Subject: Re: NIS+ linux box root getting root master ???
> > >
> > > > Mauricio Brigato" <mauricio at gordon.fmrp.usp.br> writes:
> > > >
> > > >    - I have a NIS+ server SUN. This is the main server of my net.
> > > > (NFS, web,   etc.)   - I have 6 linux box (Red Hat 7.1/7.2/7.3,
> > > >  Slackware 8.1) and 4 Sun   clients of NIS+, but servers.
> > > >
> > > >    If I log as root on a linux box, and make a su - <user-of-home-
> > > > NIS+> I got   ok.   But, how I block these user ?   I don't want
> > > > that my user on a linux box have access to all others users   from
> > > > my domain!
> > > >
> > > > If you don't trust root on the client machine, then you cannot export
> > > > via ordinary NFS.
> > > >
> > > > Solaris has secure-NFS (which is easy to use once NIS+ is configured)
> > > > , which gives limited protection.  (At least root doesn't get
> immediate
> > > > access to ordinary user files from the NFS server, since a keylogin
> > > > is required.)  Linux does not have secure-NFS.
> > > >
> > > > As a practical solution, perhaps you can separate the home
> > > > directories and only export some to the untrusted machines.  This
> > > > assumes that you have some confidence in root on the client.
> > > >
> > > > --Darrel Hankerson hankedr at auburn.edu
> > > >
> > > >    ---------- Original Message -----------
> > > >    From: Darrel Hankerson <hankedr at dms.auburn.edu>
> > > >    To: mauricio at gordon.fmrp.usp.br
> > > >    Sent: Mon, 9 Sep 2002 08:50:47 -0500
> > > >    Subject: Re: NIS+ linux box root getting root master ???
> > > >
> > > >    > > > I don't know why, every linux box which I put
> > > >    >    > > on NIS+ got the privileges of root master with
> > > >    >    > > linux box root login, via su - <user-of-home-nis+>.
> > > >    >
> > > >    > Depending on what you mean, this is expected.  There is no
> > > > keylogin,   > so anything that requires credentials fails.  But you
> > > > will get access   > to ordinary user files this way.   >   > --
> > > > Darrel Hankerson hankedr at auburn.edu
> > > >    ------- End of Original Message -------
> > > >
> > > >    mauricio at bit.fmrp.usp.br
> > > ------- End of Original Message -------
> > >
> > > mauricio at bit.fmrp.usp.br
> ------- End of Original Message -------
> 
> mauricio at bit.fmrp.usp.br
> ------- End of Forwarded Message -------
> 
> 
> -------------------------------------------------------------
>       Maurício Brigato
>       System Administrator - BIT - BioInformatic Team
>       Fundação Hemocentro de Ribeirão Preto
>       Phone: +55 16 3963-9300 (9603)   Fax: +55 16 3963-9309
>       E-mail: mauricio at bit.fmrp.usp.br
>       Homepage: http://bit.fmrp.usp.br/
> -------------------------------------------------------------
> mauricio at bit.fmrp.usp.br

More information about the linux-nisplus mailing list