NIS+ linux box root getting root master ???

Bob Edwards Robert.Edwards at anu.edu.au
Tue Sep 10 09:40:51 EST 2002 

Basically, this is not a NIS+ issue, but an NFS/Unix (su) issue, where
NIS+ is possibly helping a bit.

As soon as your NFS server exports home directories to your NFS clients
(be they Linux, Solaris, Irix or whatever), then root on any of those
client machines can mount those users home directories from the server.
Remember, NFS stands for No File Security :-).

The suggestion of using Secure RPC/NFS is one solution, but won't work
with the Linux clients (last time I tried, anyway), and seriously
impacts performance.

Here at ANU in Australia, we use intermediate gateway machines between
the NFS servers and the Linux clients (where we want the students to be
able to log in as root). The gateways basically act as session-based
authentication checkers and check the UID/GIDs of every NFS request from
the clients to the server. This has been working well now for over 18
months. We can safely have our Linux lab machines mounting user home
directories from the NFS servers. But it is complex to set up and I
wouldn't recommend it for the average sys-admin.

In the meantime, I recommend revoking root access to all your users on
the Linux machines (you do this already for the Solaris clients, right?).

Disabling "su" may also work, but anyone with root access can easily put
it back in again (maybe even give it a different name to confuse someone
who is checking).

Cheers,

Bob Edwards.

Mauricio Brigato wrote:
> 
> Thanks for everyone who answered it, specially to
> Richard Dawe and Darrel Hankerson.
> But, I'm still listening for suggestions..
> Thanks for all.
> 
> -------------------------------------------------------------
>       Mauricio Brigato
>       System Administrator - BIT - BioInformatic Team
>       Fundação Hemocentro de Ribeirão Preto
>       Phone: +55 16 3963-9300    Fax: +55 16 3963-9309
>       E-mail: mauricio at bit.fmrp.usp.br
>       Homepage: http://bit.fmrp.usp.br/
> -------------------------------------------------------------
> 
> ---------- Original Message -----------
> From: Darrel Hankerson <hankedr at dms.auburn.edu>
> To: mauricio at gordon.fmrp.usp.br
> Sent: Mon, 9 Sep 2002 09:28:49 -0500
> Subject: Re: NIS+ linux box root getting root master ???
> 
> > Mauricio Brigato" <mauricio at gordon.fmrp.usp.br> writes:
> >
> >    - I have a NIS+ server SUN. This is the main server of my net.
> > (NFS, web,   etc.)   - I have 6 linux box (Red Hat 7.1/7.2/7.3,
> >  Slackware 8.1) and 4 Sun   clients of NIS+, but servers.
> >
> >    If I log as root on a linux box, and make a su - <user-of-home-
> > NIS+> I got   ok.   But, how I block these user ?   I don't want
> > that my user on a linux box have access to all others users   from
> > my domain!
> >
> > If you don't trust root on the client machine, then you cannot export
> > via ordinary NFS.
> >
> > Solaris has secure-NFS (which is easy to use once NIS+ is configured)
> > , which gives limited protection.  (At least root doesn't get immediate
> > access to ordinary user files from the NFS server, since a keylogin
> > is required.)  Linux does not have secure-NFS.
> >
> > As a practical solution, perhaps you can separate the home
> > directories and only export some to the untrusted machines.  This
> > assumes that you have some confidence in root on the client.
> >
> > --Darrel Hankerson hankedr at auburn.edu
> >
> >    ---------- Original Message -----------
> >    From: Darrel Hankerson <hankedr at dms.auburn.edu>
> >    To: mauricio at gordon.fmrp.usp.br
> >    Sent: Mon, 9 Sep 2002 08:50:47 -0500
> >    Subject: Re: NIS+ linux box root getting root master ???
> >
> >    > > > I don't know why, every linux box which I put
> >    >    > > on NIS+ got the privileges of root master with
> >    >    > > linux box root login, via su - <user-of-home-nis+>.
> >    >
> >    > Depending on what you mean, this is expected.  There is no
> > keylogin,   > so anything that requires credentials fails.  But you
> > will get access   > to ordinary user files this way.   >   > --
> > Darrel Hankerson hankedr at auburn.edu
> >    ------- End of Original Message -------
> >
> >    mauricio at bit.fmrp.usp.br
> ------- End of Original Message -------
> 
> mauricio at bit.fmrp.usp.br

More information about the linux-nisplus mailing list