From: "Jorge R . Csapo" <jorge@completo.com.br>
To: Michael Salmon <Michael.Salmon@telia.com>
Cc: linux-admin@vger.kernel.org
Subject: Re: NIS and NFS
Date: Wed, 26 Mar 2003 10:48:01 -0200 [thread overview]
Message-ID: <20030326104801.A10230@completo.com.br> (raw)
In-Reply-To: <12350000.1048624084@[192.168.0.101]>; from Michael.Salmon@telia.com on Tue, Mar 25, 2003 at 09:28:04PM +0100
tks Michael, I'll look into it.
Jorge
assim falou Michael Salmon (em 25/03/2003):
> --On 2003-03-25 14.41.05 -0200 "Jorge R . Csapo" <jorge@completo.com.br>
> wrote:
>
> > Hi all, I've been wrecking my brains over this one but I'm threading
> > water:
> >
> > I have a Linux-only network with one server and a number of stations. The
> > server's /home directory is exported and mounted by the stations via NFS.
> > The server also serves NIS and the setup lets users log onto any one of
> > the stations and have the same /home/~user everywhere.
> >
> > My problem is that every user is 'root' at his/her own station. Of course
> > NFS has been configured not to grant access to remote root users, but
> > there's nothing to prevent users from 'becoming' someone else with su and
> > then the NFS/NIS authentication scheme falls flat on its face.
> >
> > For instance:
> >
> > . User 'jdoe' logs onto his own station. He's authenticated via NIS and
> > mounts /home from the server.
> > . jdoe then runs 'su' and becomes root.
> > . root runs 'su - jblow' and becomes jblow.
> > . jblow cds to /home/jblow...
> >
> > After going through man docs, howtos and google entries for NIS, NFS and
> > su and drawing a blank, I'd appreciate any and all insights you people
> > may have on the subject.
>
> Your analysis is quite correct, your clients cannot be trusted and hence
> you cannot allow them to mount your server if you care about security. You
> have a few choices, one is to use a beter form of authentication than just
> hostname (e.g. kerberos), unfortunately Linux does not appear to support
> this. The simplest approach is to export the directories using samba and
> mount them with smbmount. You could also look at sfs <http://fs.net> or
> perhaps afs/arla.
>
> /Michael
> --
> This space intentionally left non-blank.
--
Jorge R. Csapo
--------------------------------------------------
/"\
\ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML
X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
/ \
--------------------------------------------------
http://www.completo.com.br/~jorge
===========================================
With a PC, I always felt limited
by the software available.
On Unix, I am limited only by my knowledge.
--Peter J. Schoenster
next prev parent reply other threads:[~2003-03-26 12:48 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-03-25 16:41 NIS and NFS Jorge R . Csapo
2003-03-25 20:28 ` Michael Salmon
2003-03-26 12:48 ` Jorge R . Csapo [this message]
-- strict thread matches above, loose matches on Subject: below --
2003-03-25 20:28 Michael Salmon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030326104801.A10230@completo.com.br \
--to=jorge@completo.com.br \
--cc=Michael.Salmon@telia.com \
--cc=linux-admin@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.