From: Mauricio Brigato (mauricio@gordon.fmrp.usp.br)
Date: Wed Nov 27 2002 - 11:31:51 EST
This is a NFS question ...
Please help me.
T.I.A.
---------- Forwarded Message -----------
From: Bob Edwards <Robert.Edwards@anu.edu.au>
To: Mauricio Brigato <mauricio@gordon.fmrp.usp.br>
Sent: Wed, 27 Nov 2002 08:11:17 +1100
Subject: Re: Fw: Re: NIS+ linux box root getting root master ???
Mauricio Brigato wrote:
> Please help:
>
> I need urgently a solution for my matter.
> I don't want my linux users make
> a su - <another-user> of a NFS-solaris8-home directory on their linux
> boxes.
> I received some suggestions from Bob Edwards,Darel Hankerson,
> Jesus Garcia and others (thanks a lot to everybody!!!).
>
> I wouldn't like to revoke root access to all my users on the
> Linux machines, as a first solution, cause I've tested
> with a ordinary user and this one can make a su successfully
> even as ordinary user. (Bob idea).
>
This is a problem. No user should ever be able to su to another user without
having to supply a password. If I read this correctly, you are saying that
any
user on your Linux machines can su to any other user without a password - if
so, there is something seriously broken in your setup. Check your PAM
configuration and the credentials on your NIS+ server for your Linux
clients.
> Darrel suggest me separate home directories and only export
> some to the untrusted machines.
> Let me see if I understood. The idea would be:
> - to make a /home/user1 -> share for a IP1
> - to make a /home/user2 -> share for a IP2
> - to make a /home/usern -> share for a IPn ???
>
This will work (if you do it properly), but will become harder to administer
as you add more users, more Linux clients and possibly more servers (ie. it
won't scale very well).
> I've tried various tests:
> - to share solaris /home with DES (AUTH_DES), mount_nfs, share_nfs without
> solution for linux boxes;
> - to change on Solaris the PAM modules in /etc/pamd.conf
> for service name su, modules auth, account, session with the options
> required, requisite and its variations and combinations without success.
>
I don't understand what either of these "tests" are actually trying to solve
in the context of your initial problem with NFS to the Linux machines.
Please be aware that this issue has almost nothing to do with NIS+ (and so,
rightly, shouldn't live on this list). It is a pure NFS permissions problem.
My recommendation, in the first instance, is to revoke root access to your
Linux users (ie. change the root password and don't allow them to log in as
root). There are still many ways for people to thwart the NFS security
issue,
but at least they will then need to be determined and hence possibly draw
attention to themselves.
Cheers,
Bob Edwards.
------- End of Forwarded Message -------
-------------------------------------------------------------
Maurmcio Brigato
System Administrator - BIT - BioInformatic Team
-------------------------------------------------------------
mauricio@bit.fmrp.usp.br
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:25:22 EDT