Hosting Provided By

Re: NIS with local root

From: Eric Severance <esev(at)esev.com>
Date: Thu Jan 30 2003 - 20:26:33 EST

Not sure why this message didn't get posted after I sent it the first time...

On Sun, 2003-01-26 at 07:28, Nicolas Justin wrote:
> There is a way that prevent the local root to su to a NIS user, and so modify
> anyone personnal data ?

There is a way to accomplish this if the workstations with root are not shared among different individuals. In this case, you can turn on the all_squash NFS option for each host and use the anonuid/anongid NFS options to map the incomming uid and gid values from that host to the uid and gid of the individual assigned to that workstation.

For example, if the host "pc001" is one of the administration workstations and you are sharing /home via NFS, your /etc/exports file might look something like this:

/home pc001(rw,all_squash,anonuid=150,anongid=150) other(rw)

Of course, this may or may not be an issue, but any user with root access could change the IP address of the host they are on and thus defeat this trick. For more info check out the man page for exports. It has a fairly good example of how to do what I just described. You could probably use the NIS netgroups to aid in setting this up.

-- 
Eric Severance

application/pgp-signature attachment: This is a digitally signed message part

Received on Fri Jan 31 14:19:02 2003

This message: [ Message body ]
Next message: Kevin Jackson: "Re: NIS with local root"
Previous message: Brent J. Nordquist: "Re: NIS with local root"
In reply to Nicolas Justin: "NIS with local root"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:19 EDT

Do you need help?