From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Jorge R . Csapo" Subject: Re: NIS and NFS Date: Wed, 26 Mar 2003 10:48:01 -0200 Sender: linux-admin-owner@vger.kernel.org Message-ID: <20030326104801.A10230@completo.com.br> References: <20030325144105.B6601@completo.com.br> <12350000.1048624084@[192.168.0.101]> Mime-Version: 1.0 Return-path: Content-Disposition: inline In-Reply-To: <12350000.1048624084@[192.168.0.101]>; from Michael.Salmon@telia.com on Tue, Mar 25, 2003 at 09:28:04PM +0100 List-Id: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Michael Salmon Cc: linux-admin@vger.kernel.org tks Michael, I'll look into it. Jorge assim falou Michael Salmon (em 25/03/2003): > --On 2003-03-25 14.41.05 -0200 "Jorge R . Csapo" > wrote: > > > Hi all, I've been wrecking my brains over this one but I'm threading > > water: > > > > I have a Linux-only network with one server and a number of stations. The > > server's /home directory is exported and mounted by the stations via NFS. > > The server also serves NIS and the setup lets users log onto any one of > > the stations and have the same /home/~user everywhere. > > > > My problem is that every user is 'root' at his/her own station. Of course > > NFS has been configured not to grant access to remote root users, but > > there's nothing to prevent users from 'becoming' someone else with su and > > then the NFS/NIS authentication scheme falls flat on its face. > > > > For instance: > > > > . User 'jdoe' logs onto his own station. He's authenticated via NIS and > > mounts /home from the server. > > . jdoe then runs 'su' and becomes root. > > . root runs 'su - jblow' and becomes jblow. > > . jblow cds to /home/jblow... > > > > After going through man docs, howtos and google entries for NIS, NFS and > > su and drawing a blank, I'd appreciate any and all insights you people > > may have on the subject. > > Your analysis is quite correct, your clients cannot be trusted and hence > you cannot allow them to mount your server if you care about security. You > have a few choices, one is to use a beter form of authentication than just > hostname (e.g. kerberos), unfortunately Linux does not appear to support > this. The simplest approach is to export the directories using samba and > mount them with smbmount. You could also look at sfs or > perhaps afs/arla. > > /Michael > -- > This space intentionally left non-blank. -- Jorge R. Csapo -------------------------------------------------- /"\ \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL / \ -------------------------------------------------- http://www.completo.com.br/~jorge =========================================== With a PC, I always felt limited by the software available. On Unix, I am limited only by my knowledge. --Peter J. Schoenster