Fw: Re: NIS+ linux box root getting root master ???

Thu Nov 28 06:16:14 EST 2002

I think this is a NIS+ question. 

Cause I tested my linux box as a NIS client 
of another NIS server and my user can't make a 
<su - other-user-of-home>. 

I'm new with NIS+. 
I didn't define a group for my 
users. Wouldn't be this the cause of my errors??? 
And about the rights ?? I've heard to say 
that after instalation you have to redefine  
the rights policy ... 

What do you think ? 

T.I.A. 

Maurício.  

---------- Original Message ----------- 
From: Bob Edwards <Robert.Edwards at anu.edu.au> 
To: Mauricio Brigato <mauricio at gordon.fmrp.usp.br> 
Sent: Wed, 27 Nov 2002 08:11:17 +1100 
Subject: Re: Fw: Re: NIS+ linux box root getting root master ??? 

> Mauricio Brigato wrote: 
> > Please help: 
> > 
> >  I need urgently a solution for my matter. 
> >  I don't want my linux users make 
> >  a su -  <another-user> of a NFS-solaris8-home directory on their linux 
> > boxes. 
> >  I received some suggestions from Bob Edwards,Darel Hankerson, 
> >  Jesus Garcia and others (thanks a lot to everybody!!!). 
> > 
> >  I wouldn't like to revoke root access to all my users on the 
> >  Linux machines, as a first solution, cause I've tested 
> >  with a ordinary user and this one can make a su successfully 
> >  even as ordinary user. (Bob idea). 
> > 
>  
> This is a problem. No user should ever be able to su to another user  
> without having to supply a password. If I read this correctly, you  
> are saying that any user on your Linux machines can su to any other  
> user without a password - if so, there is something seriously broken  
> in your setup. Check your PAM configuration and the credentials on  
> your NIS+ server for your Linux clients. 
>  
> >  Darrel suggest me separate home directories and only export 
> >  some to the untrusted machines. 
> >  Let me see if I understood. The idea would be: 
> >  - to make a /home/user1 -> share for a IP1 
> >  - to make a /home/user2 -> share for a IP2 
> >  - to make a /home/usern -> share for a IPn ??? 
> > 
>  
> This will work (if you do it properly), but will become harder to 
administer 
> as you add more users, more Linux clients and possibly more servers  
> (ie. it won't scale very well). 
>  
> > I've tried various tests: 
> > - to share solaris /home with DES (AUTH_DES), mount_nfs, share_nfs 
without 
> > solution for linux boxes; 
> > - to change on Solaris the PAM modules in /etc/pamd.conf 
> > for service name su, modules auth, account, session with the options 
> > required, requisite and its variations and combinations without success. 
> > 
>  
> I don't understand what either of these "tests" are actually trying  
> to solve in the context of your initial problem with NFS to the  
> Linux machines. 
>  
> Please be aware that this issue has almost nothing to do with NIS+  
> (and so, rightly, shouldn't live on this list). It is a pure NFS  
> permissions problem. 
>  
> My recommendation, in the first instance, is to revoke root access  
> to your Linux users (ie. change the root password and don't allow  
> them to log in as root). There are still many ways for people to  
> thwart the NFS security issue, but at least they will then need to  
> be determined and hence possibly draw attention to themselves. 
>  
> Cheers, 
>  
> Bob Edwards. 
------- End of Original Message ------- 
mauricio at bit.fmrp.usp.br