Tux

...making Linux just a little more fun!

NIS client root privilege

Smile Maker [britto_can at yahoo.com]


Tue, 6 Nov 2007 03:17:20 -0800 (PST)

Folks,

When I configure NIS client in Linux machines the client's roots are having exclusive access to the home directories by doing "su username "

Is there anyway to prevent that.

Thanks & regards, Britto


Top    Back


Mulyadi Santosa [mulyadi.santosa at gmail.com]


Tue, 06 Nov 2007 23:45:25 +0700

Hi...

> Folks,
>
>   When I configure NIS client in Linux machines the client's roots are having exclusive access to the home directories by doing  "su username " 
>
> Is there anyway to prevent that.
>
>   
Do you mean, let's say I am user A. When I do:
$ su B
I switch to B and have access to B's home directory?

If it's something like that, I need to know, what directories are exported to client? /home? /home/<user>? I guess you're exporting the hole /home?

regards,

Mulyadi


Top    Back


Jim Jackson [jj at franjam.org.uk]


Tue, 6 Nov 2007 22:21:55 +0000 (GMT)

On Tue, 6 Nov 2007, Smile Maker wrote:

> Folks,
>
>   When I configure NIS client in Linux machines the client's roots are
> having exclusive access to the home directories by doing "su username "
>
> Is there anyway to prevent that.

Do you mean NIS? Or do you mean NFS?

Jim


Top    Back


Smile Maker [britto_can at yahoo.com]


Tue, 6 Nov 2007 22:38:47 -0800 (PST)

It is on NIS.

In nis client root can do su - username

and access his files.


Top    Back


Faber J. Fedor [faber at linuxnj.com]


Wed, 7 Nov 2007 11:31:14 -0500

On 06/11/07 22:38 -0800, Smile Maker wrote:

> It is on NIS.
> 
> In nis client root can do su - username 
> 
> and access his files.

I don't think there is a way to stop that, other than not mounting the directories-that-shall-not-be-accessed.

-- 
 
Regards,
 
Faber Fedor
President
Linux New Jersey, Inc.
908-320-0357
800-706-0701

Top    Back


Karl-Heinz Herrmann [khh at khherrmann.de]


Wed, 7 Nov 2007 21:20:17 +0100

Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-SA-Exim-Version: 4.2.1 (built Mon, 27 Mar 2006 13:42:28 +0200) Status: O Content-Length: 1716 Lines: 41

On Tue, 6 Nov 2007 22:38:47 -0800 (PST) Smile Maker <britto_can@yahoo.com> wrote:

> In nis client root can do su - username 

That one of the major security problems if anybody besides trusted admins have root access anywhere with NFS shared files. You can switch off that root is allowed to su without password to a different user -- but then root can allow this again of course by changing the same config file.

The only way to give RESTRICTED root access (like apt-get ...) is setting up sudoers file so (specific) normal users may do CERTAIN things but definietly not everything (like sudo bash).

On the other hand with samba/cifs file it MIGHT be possible (not tested) to allow users to mount their particular part of home to a mount point they have access to (not all users to the same mountpoint) with authentification. Then local root might not be able to do so easily that much harm to other users. cifs is supposed to carry some unix attributes over samba shares, but I'm not quite sure yet what exactly and how to set this up with the proper fstab lines.

K.-H.


Top    Back