[TAG] NIS client root privliage
Karl-Heinz Herrmann
khh at khherrmann.de
Wed Nov 7 23:20:17 MSK 2007
On Tue, 6 Nov 2007 22:38:47 -0800 (PST)
Smile Maker <britto_can at yahoo.com> wrote:
> In nis client root can do su - username
That one of the major security problems if anybody besides trusted
admins have root access anywhere with NFS shared files. You can switch
off that root is allowed to su without password to a different user --
but then root can allow this again of course by changing the same
config file.
The only way to give RESTRICTED root access (like apt-get ...) is
setting up sudoers file so (specific) normal users may do CERTAIN
things but definietly not everything (like sudo bash).
On the other hand with samba/cifs file it MIGHT be possible (not
tested) to allow users to mount their particular part of home to a
mount point they have access to (not all users to the same mountpoint)
with authentification. Then local root might not be able to do so easily
that much harm to other users. cifs is supposed to carry some unix
attributes over samba shares, but I'm not quite sure yet what exactly
and how to set this up with the proper fstab lines.
K.-H.
More information about the TAG
mailing list