automount question

automount question

Post by Eric Swobod » Wed, 08 Aug 2001 04:52:27



I have a server let us say A and a client B.
solaris 2.8 and NIS installed.
I have some NIS accounts.Let us say Tom and Jerry.
Either knows the root password on the client B.
A filesystem /users is shared from A and automounted on the client.
Now Tom is able to give the command  su - Jerry     on the client without
password.
The problem is that Tom can destroy everything in Jerry's home directory.
How is it possible to make the client more secure?
I will let the possibility either for Tom or Jerry to connect on the client
and work in their own directory.
 
 
 

automount question

Post by Logan Sh » Wed, 08 Aug 2001 05:38:26




>I have a server let us say A and a client B.
>solaris 2.8 and NIS installed.
>I have some NIS accounts.Let us say Tom and Jerry.
>Either knows the root password on the client B.
>A filesystem /users is shared from A and automounted on the client.
>Now Tom is able to give the command  su - Jerry     on the client without
>password.
>The problem is that Tom can destroy everything in Jerry's home directory.
>How is it possible to make the client more secure?

The only way is to take away the root password.

No matter what you do, even if you have some sort of system where users
must do extra authentication, the ability to become root ruins it.  If
Tom and Jerry are both logged in at once, then Jerry can become root
and trace Tom's processes and/or modify their operation (perhaps with a
de*).  Or, Jerry could install (while root) a kernel patch to
cause Tom's processes to become Jerry's and suddenly have their output
appear on the tty of his choice.

  - Logan
--
"Our grandkids love that we get Roadrunner and digital cable."
(Adverti*t for Time Warner cable TV and internet access, July 2001)

 
 
 

automount question

Post by Mathew Kirsc » Wed, 08 Aug 2001 23:51:41



> I have a server let us say A and a client B.
> solaris 2.8 and NIS installed.
> I have some NIS accounts.Let us say Tom and Jerry.
> Either knows the root password on the client B.
> A filesystem /users is shared from A and automounted on the client.
> Now Tom is able to give the command  su - Jerry     on the client without
> password.
> The problem is that Tom can destroy everything in Jerry's home directory.
> How is it possible to make the client more secure?
> I will let the possibility either for Tom or Jerry to connect on the client
> and work in their own directory.

Change the root password. If you can't trust Tom to not destroy Jerry's work,
then you can't trust Tom with the root password, PERIOD!

If they need root access for certain operations, consider rbac or sudo.

 
 
 

automount question

Post by Philip Bro » Sat, 11 Aug 2001 06:39:05



>...
>If they need root access for certain operations, consider rbac or sudo.

translation for non-sun-fluent people:

"rbac" = "RBAC" = "Role-Based Access Control", or something like that.
http://docs.sun.com

--
[Trim the no-bots from my address to reply to me by email!]
[ Do NOT email-CC me on posts. Pick one or the other.]

The word of the day is mispergitude

 
 
 

1. automount question

folks

i wish to use automountd but have a question about how to have the
automounted directory to be read-only when the disk that mount sits is
mounted read-write.

i have a large local partition (/dev/hda2) mounted read-write on /export
which has the following

     /export/opt
     /export/home

i intend those dirs to be automounted as:

     /export/opt     on /opt
     /export/home    on /home

however, because the home directories of the local users are on this
disk, i need /dev/hda2 mounted as read-write, but i would like a way to
have the other two mount points, when automounted, to be read-only.  is
there a way to do this?

the automount cfg is as follows:

     # /etc/auto.master
         /home       /etc/auto.home
         /opt        /etc/auto.opt

     # /etc/auto.home
         *  :/export/home/&

     # /etc/auto.opt
         *  -ro,soft  :/export/opt/&

when anything is automounted onto /opt (such as /opt/gnome), it appears
that i am still able to write /opt/gnome and indeed 'mount' reports that
/opt/gome/ is mounted rw.

i'm using autofs 3.1.7 on a 2.4.19 box with glibc 2.2.5 if thats of any
help.

additionally, is it correct for the automount point (ie /opt in my case)
only list the dirs that have been automounted?

any thoughts would be appreciated
regrds
ray

2. how to import outlook mail into netscape mail?

3. ChipSet Problem of WinFast 3D S700

4. automount questions

5. Help: configuration problem

6. automount question

7. portsentry

8. automount questions...

9. Automount question

10. Automounting Question

11. automount question