Re: Who's working on centralized management?

To: Rafael Laboissiere <rafael@icp.inpg.fr>
Cc: debian-devel@lists.debian.org
Subject: Re: Who's working on centralized management?
From: Andreas Jellinghaus <aj@dungeon.inka.de>
Date: Mon, 19 Apr 1999 18:45:47 +0200
Message-id: <[🔎] 19990419184547.A3634@dungeon.inka.de>
In-reply-to: <yaqwvz8od5p.fsf@gallium.icp.inpg.fr>; from Rafael Laboissiere on Mon, Apr 19, 1999 at 05:14:42PM +0200
References: <[🔎] 19990416170244.A3339@atlante.ieeesb.etsit.upm.es> <[🔎] 199904171836.UAA00682@gsyc.inf.uc3m.es> <[🔎] 19990419123244.B18244@grisu.weh.rwth-aachen.de> <[🔎] 19990419155411.B2810@dungeon.inka.de> <yaqwvz8od5p.fsf@gallium.icp.inpg.fr>

>     AJ> Same here: i have 50 machines running debian. /usr, /opt, /home are
>     AJ> exported via nfs (ro, ro, rw), and i'm useing nis for the password
>     AJ> system. Working fine, so far.
> 
> This is maybe off-topic, but perhaps you faced the same problem we have in
> our lab.  We are also using NIS for passwd sharing and NFS for /home, but
> some people with PCs in their offices have root access.  This means that
> they can "su some-user" and become "some-user" in any machine.  This is a
> security hole and we are completely lost about how to solve it.

known. i'm not affected, since all computers are in two big rooms (student
computer pool).

quick hack: if you know who is at which machine:
/home		10.0.0.1(rw,squash_uids=0-1234,1236-65534)
(similiar stuff for every machine : squash all uid's except the one who
 is working at that machine). maybe also squash group id's.
also possible: only export that persons home.

even worse hack, but dynamic: create a web frontend, where people can
"start" and "stop" a session (with pasword). write the cgi script
to add/remove the lines to the /etc/export file, and reload the daemons.

this should work very well with kernel nfsd, since it relies on a program
to add/remove exports, which fits this dynamic approach much better.

clean approach: you need a filesystem, that works with sessions and
authenticates them. dce/dfs is not available for linux, as far as i know.
but there is a free andrew fs2 client in development (arla IIRC), and a
commercial one. servers are only available as commercial, as far as i know.

there is a free andrew fs2 like filesystem, named coda. look in the 2.2
kernel documentation for pointers. it has many nice features, but i only
now the old (and then unstable) version. current versions should be much
better.

or you could emulate one well known network filesystem: samba and smbfs
(the windows filesystem way) or some novell replacement (there were 3,
but i guess amrs is the most developed, all should work very fine) with
the ncpfs filesystem. 

the samba/smbfs/nt like solution should be better, since it does not
require ipx/spx (like novell), and is very developed and known to be
stable. i guess very few people will use it from linux to linux, but 
it's known to work very well.

> [I am not Cc:ing this to the world (=debian-devel) because it concerns a
> security hole here.  I would ask you discretion and if can destroy this
> msg, even better. Thanks.]

i'm adding Cc: to debian-devel, since these insecurity problems are very
well known, were discussed at several places again and again, and it's much
harder to find good alternatives to nfs. i hope you don't mind me.

andreas

Reply to:

References:
- Who's working on centralized management?
  - From: Javier Fdz-Sanguino Pen~a <jfs@ieeesb.etsit.upm.es>
- Re: Who's working on centralized management?
  - From: "Jesus M. Gonzalez" <jgb@gsyc.inf.uc3m.es>
- Re: Who's working on centralized management?
  - From: Michael Bramer <grisu@debian.org>
- Re: Who's working on centralized management?
  - From: Andreas Jellinghaus <aj@dungeon.inka.de>

Prev by Date: Re: jadetex up for adoption
Next by Date: Re: Who's working on centralized management?
Previous by thread: Re: Who's working on centralized management?
Next by thread: Re: Who's working on centralized management?
Index(es):
- Date
- Thread