Re: Problems with root on network clients

[Carlos Carvalho <carlos@fisica.ufpr.br>]

The solution to this is to NOT make the xterms mount the users' homes.
This is both not necessary and a security breach.

Use xdm on the server to control the xterm display. This way users
don't need to run anything in the local machine, and the server does
not export the filesystems.

Some of our machines are also used to run numerical jobs by certain
users. These can log in in the machine, but not directly; they have to
log in the server, and do ssh to the xterm. There's a special
directory that's exported to the xterms, and the user can choose which
files he puts there. In this way if the xterm is rooted the attacker
will only have access to this directory, not the user's home.