...making Linux just a little more fun!
Smile Maker [britto_can at yahoo.com]
Folks,
When I configure NIS client in Linux machines the client's roots are having exclusive access to the home directories by doing "su username "
Is there anyway to prevent that.
Thanks & regards, Britto
Mulyadi Santosa [mulyadi.santosa at gmail.com]
Hi...
> Folks, > > When I configure NIS client in Linux machines the client's roots are having exclusive access to the home directories by doing "su username " > > Is there anyway to prevent that. > >Do you mean, let's say I am user A. When I do:
$ su BI switch to B and have access to B's home directory?
If it's something like that, I need to know, what directories are exported to client? /home? /home/<user>? I guess you're exporting the hole /home?
regards,
Mulyadi
Jim Jackson [jj at franjam.org.uk]
On Tue, 6 Nov 2007, Smile Maker wrote:
> Folks, > > When I configure NIS client in Linux machines the client's roots are > having exclusive access to the home directories by doing "su username " > > Is there anyway to prevent that.
Do you mean NIS? Or do you mean NFS?
Jim
Smile Maker [britto_can at yahoo.com]
It is on NIS.
In nis client root can do su - username
and access his files.
Faber J. Fedor [faber at linuxnj.com]
On 06/11/07 22:38 -0800, Smile Maker wrote:
> It is on NIS. > > In nis client root can do su - username > > and access his files.
I don't think there is a way to stop that, other than not mounting the directories-that-shall-not-be-accessed.
-- Regards, Faber Fedor President Linux New Jersey, Inc. 908-320-0357 800-706-0701
Karl-Heinz Herrmann [khh at khherrmann.de]
Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-SA-Exim-Version: 4.2.1 (built Mon, 27 Mar 2006 13:42:28 +0200) Status: O Content-Length: 1716 Lines: 41
On Tue, 6 Nov 2007 22:38:47 -0800 (PST) Smile Maker <britto_can@yahoo.com> wrote:
> In nis client root can do su - username
That one of the major security problems if anybody besides trusted admins have root access anywhere with NFS shared files. You can switch off that root is allowed to su without password to a different user -- but then root can allow this again of course by changing the same config file.
The only way to give RESTRICTED root access (like apt-get ...) is setting up sudoers file so (specific) normal users may do CERTAIN things but definietly not everything (like sudo bash).
On the other hand with samba/cifs file it MIGHT be possible (not tested) to allow users to mount their particular part of home to a mount point they have access to (not all users to the same mountpoint) with authentification. Then local root might not be able to do so easily that much harm to other users. cifs is supposed to carry some unix attributes over samba shares, but I'm not quite sure yet what exactly and how to set this up with the proper fstab lines.
K.-H.