Re: Problems with root on network clients
In message <[🔎] 20001123115831.N543@pounk.oleane.net>, Charles Goyard writes:
>Alex Pires de Camargo a écrit :
>> I administer a network with server and clients Debian based,
>> and would like to know if I can solve this problem.
>> It's a little easy to an user open a PC, damage the batteries,
>> boot with floppy and login as root in a client. But one thing is
>> undesirable. He can do su - <users> and do many things on users
>> homes. The rootsquash options on nfs solve the problem when the
>> user is root, but as I explain, this is not sufficient.
>> Is there anything I'm forgetting to make? On server I run
>> potato, nis (not nis+), nfs-kernel-server.
>
>There's not much you can do when users have physical access to the boxes.
>You can use the Intrusion Sensors wich makes the box beep when the case gens
>opened, which makes the user feel particularly uncomfortable, or you can
>glue the case :)
>
>Some boxes have facilities to put a lock (a physical one) on them.
System locks are good, and can work in this case. Almost every modern
system from a major vendor (Dell, Gateway, etc.) supports them. However,
this isn't a problem that has a technical solution. The correct solution
is a policy-based one. Make it clear in your documentation that actions
like that are a firable offense. If anyone does it, fire them. You may
also be able to sue them as well. (Talk to the company lawyer about this)
This isn't a problem with an easy techincal solution. Policy is the way to
go here.
--
Ted Cabeen http://www.pobox.com/~secabeen secabeen@pobox.com
Check Website or Keyserver for PGP/GPG Key BA0349D2 secabeen@uchicago.edu
"I have taken all knowledge to be my province." -F. Bacon secabeen@cabeen.org
"Human kind cannot bear very much reality."-T.S.Eliot cabeen@netcom.com
Reply to: