[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Problems with root on network clients

In message <[🔎] 20001123115831.N543@pounk.oleane.net>, Charles Goyard writes:
>Alex Pires de Camargo a écrit :
>> 	I administer a network with server and clients Debian based,
>> and would like to know if I can solve this problem.
>> 	It's a little easy to an user open a PC, damage the batteries,
>> boot with floppy and login as root in a client. But one thing is
>> undesirable. He can do su - <users> and do many things on users
>> homes. The rootsquash options on nfs solve the problem when the
>> user is root, but as I explain, this is not sufficient.
>> 	Is there anything I'm forgetting to make? On server I run
>> potato, nis (not nis+), nfs-kernel-server.
>There's not much you can do when users have physical access to the boxes.
>You can use the Intrusion Sensors wich makes the box beep when the case gens
>opened, which makes the user feel particularly uncomfortable, or you can
>glue the case :)
>Some boxes have facilities to put a lock (a physical one) on them.

System locks are good, and can work in this case.  Almost every modern
system from a major vendor (Dell, Gateway, etc.) supports them.  However,
this isn't a problem that has a technical solution.  The correct solution
is a policy-based one.  Make it clear in your documentation that actions
like that are a firable offense.  If anyone does it, fire them.  You may
also be able to sue them as well.  (Talk to the company lawyer about this)
This isn't a problem with an easy techincal solution.  Policy is the way to
go here.

Ted Cabeen           http://www.pobox.com/~secabeen         secabeen@pobox.com
Check Website or Keyserver for PGP/GPG Key BA0349D2      secabeen@uchicago.edu
"I have taken all knowledge to be my province." -F. Bacon  secabeen@cabeen.org
"Human kind cannot bear very much reality."-T.S.Eliot        cabeen@netcom.com

Reply to: