From: "Jorge R . Csapo" <jorge@completo.com.br>
To: Michael Salmon <Michael.Salmon@telia.com>
Cc: linux-admin@vger.kernel.org
Subject: Re: NIS and NFS
Date: Wed, 26 Mar 2003 10:48:01 -0200 [thread overview]
Message-ID: <20030326104801.A10230@completo.com.br> (raw)
In-Reply-To: <12350000.1048624084@[192.168.0.101]>; from Michael.Salmon@telia.com on Tue, Mar 25, 2003 at 09:28:04PM +0100
tks Michael, I'll look into it.
Jorge
assim falou Michael Salmon (em 25/03/2003):
> --On 2003-03-25 14.41.05 -0200 "Jorge R . Csapo" <jorge@completo.com.br>
> wrote:
>
> > Hi all, I've been wrecking my brains over this one but I'm threading
> > water:
> >
> > I have a Linux-only network with one server and a number of stations. The
> > server's /home directory is exported and mounted by the stations via NFS.
> > The server also serves NIS and the setup lets users log onto any one of
> > the stations and have the same /home/~user everywhere.
> >
> > My problem is that every user is 'root' at his/her own station. Of course
> > NFS has been configured not to grant access to remote root users, but
> > there's nothing to prevent users from 'becoming' someone else with su and
> > then the NFS/NIS authentication scheme falls flat on its face.
> >
> > For instance:
> >
> > . User 'jdoe' logs onto his own station. He's authenticated via NIS and
> > mounts /home from the server.
> > . jdoe then runs 'su' and becomes root.
> > . root runs 'su - jblow' and becomes jblow.
> > . jblow cds to /home/jblow...
> >
> > After going through man docs, howtos and google entries for NIS, NFS and
> > su and drawing a blank, I'd appreciate any and all insights you people
> > may have on the subject.
>
> Your analysis is quite correct, your clients cannot be trusted and hence
> you cannot allow them to mount your server if you care about security. You
> have a few choices, one is to use a beter form of authentication than just
> hostname (e.g. kerberos), unfortunately Linux does not appear to support
> this. The simplest approach is to export the directories using samba and
> mount them with smbmount. You could also look at sfs <http://fs.net> or
> perhaps afs/arla.
>
> /Michael
> --
> This space intentionally left non-blank.
--
Jorge R. Csapo
--------------------------------------------------
/"\
\ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML
X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
/ \
--------------------------------------------------
http://www.completo.com.br/~jorge
===========================================
With a PC, I always felt limited
by the software available.
On Unix, I am limited only by my knowledge.
--Peter J. Schoenster
next prev parent reply other threads:[~2003-03-26 12:48 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-03-25 16:41 NIS and NFS Jorge R . Csapo
2003-03-25 20:28 ` Michael Salmon
2003-03-26 12:48 ` Jorge R . Csapo [this message]
-- strict thread matches above, loose matches on Subject: below --
2003-03-25 20:28 Michael Salmon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030326104801.A10230@completo.com.br \
--to=jorge@completo.com.br \
--cc=Michael.Salmon@telia.com \
--cc=linux-admin@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).