NIS+ linux box root getting root master ???

Mauricio Brigato mauricio at bit.fmrp.usp.br
Wed Sep 11 00:57:54 EST 2002 

Dear Bob,

Thank you very much for your 
complete analisis of the problem, 
solution and scenarios around it.

Sincerely,

-------------------------------------------------------------
      Mauricio Brigato
      System Administrator - BIT - BioInformatic Team
      Fundação Hemocentro de Ribeirão Preto
      Phone: +55 16 3963-9300    Fax: +55 16 3963-9309
      E-mail: mauricio at bit.fmrp.usp.br
      Homepage: http://bit.fmrp.usp.br/
-------------------------------------------------------------
















---------- Original Message -----------
From: Bob Edwards <Robert.Edwards at anu.edu.au>
To: Mauricio Brigato <mauricio at gordon.fmrp.usp.br>
Sent: Tue, 10 Sep 2002 09:40:51 +1000
Subject: Re: NIS+ linux box root getting root master ???

> Basically, this is not a NIS+ issue, but an NFS/Unix (su) issue, 
> where NIS+ is possibly helping a bit.
> 
> As soon as your NFS server exports home directories to your NFS clients
> (be they Linux, Solaris, Irix or whatever), then root on any of those
> client machines can mount those users home directories from the server.
> Remember, NFS stands for No File Security :-).
> 
> The suggestion of using Secure RPC/NFS is one solution, but won't 
> work with the Linux clients (last time I tried, anyway), and 
> seriously impacts performance.
> 
> Here at ANU in Australia, we use intermediate gateway machines 
> between the NFS servers and the Linux clients (where we want the 
> students to be able to log in as root). The gateways basically act 
> as session-based authentication checkers and check the UID/GIDs of 
> every NFS request from the clients to the server. This has been 
> working well now for over 18 months. We can safely have our Linux 
> lab machines mounting user home directories from the NFS servers. 
> But it is complex to set up and I wouldn't recommend it for the 
> average sys-admin.
> 
> In the meantime, I recommend revoking root access to all your users 
> on the Linux machines (you do this already for the Solaris clients,
>  right?).
> 
> Disabling "su" may also work, but anyone with root access can easily 
> put it back in again (maybe even give it a different name to confuse 
> someone who is checking).
> 
> Cheers,
> 
> Bob Edwards.
> 
> Mauricio Brigato wrote:
> >
> > Thanks for everyone who answered it, specially to
> > Richard Dawe and Darrel Hankerson.
> > But, I'm still listening for suggestions..
> > Thanks for all.
> >
> > -------------------------------------------------------------
> >       Mauricio Brigato
> >       System Administrator - BIT - BioInformatic Team
> >       Fundação Hemocentro de Ribeirão Preto
> >       Phone: +55 16 3963-9300    Fax: +55 16 3963-9309
> >       E-mail: mauricio at bit.fmrp.usp.br
> >       Homepage: http://bit.fmrp.usp.br/
> > -------------------------------------------------------------
> >
> > ---------- Original Message -----------
> > From: Darrel Hankerson <hankedr at dms.auburn.edu>
> > To: mauricio at gordon.fmrp.usp.br
> > Sent: Mon, 9 Sep 2002 09:28:49 -0500
> > Subject: Re: NIS+ linux box root getting root master ???
> >
> > > Mauricio Brigato" <mauricio at gordon.fmrp.usp.br> writes:
> > >
> > >    - I have a NIS+ server SUN. This is the main server of my net.
> > > (NFS, web,   etc.)   - I have 6 linux box (Red Hat 7.1/7.2/7.3,
> > >  Slackware 8.1) and 4 Sun   clients of NIS+, but servers.
> > >
> > >    If I log as root on a linux box, and make a su - <user-of-home-
> > > NIS+> I got   ok.   But, how I block these user ?   I don't want
> > > that my user on a linux box have access to all others users   from
> > > my domain!
> > >
> > > If you don't trust root on the client machine, then you cannot export
> > > via ordinary NFS.
> > >
> > > Solaris has secure-NFS (which is easy to use once NIS+ is configured)
> > > , which gives limited protection.  (At least root doesn't get immediate
> > > access to ordinary user files from the NFS server, since a keylogin
> > > is required.)  Linux does not have secure-NFS.
> > >
> > > As a practical solution, perhaps you can separate the home
> > > directories and only export some to the untrusted machines.  This
> > > assumes that you have some confidence in root on the client.
> > >
> > > --Darrel Hankerson hankedr at auburn.edu
> > >
> > >    ---------- Original Message -----------
> > >    From: Darrel Hankerson <hankedr at dms.auburn.edu>
> > >    To: mauricio at gordon.fmrp.usp.br
> > >    Sent: Mon, 9 Sep 2002 08:50:47 -0500
> > >    Subject: Re: NIS+ linux box root getting root master ???
> > >
> > >    > > > I don't know why, every linux box which I put
> > >    >    > > on NIS+ got the privileges of root master with
> > >    >    > > linux box root login, via su - <user-of-home-nis+>.
> > >    >
> > >    > Depending on what you mean, this is expected.  There is no
> > > keylogin,   > so anything that requires credentials fails.  But you
> > > will get access   > to ordinary user files this way.   >   > --
> > > Darrel Hankerson hankedr at auburn.edu
> > >    ------- End of Original Message -------
> > >
> > >    mauricio at bit.fmrp.usp.br
> > ------- End of Original Message -------
> >
> > mauricio at bit.fmrp.usp.br
------- End of Original Message -------

mauricio at bit.fmrp.usp.br

More information about the linux-nisplus mailing list