[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: About how to protect network resources in LDAP environment?

* Mike Mestnik <cheako@visi.com> [100829 03:30]:
> >>thanks.  I'm totally a newbie to this nfs4/gssapi/kerberos.
> >>
> >>(1) does this approach
> >>
> >>prevent user1-> root ( su-> ) user2?
> >
> > Yes. "su" does not grant Kerberos credentials.
> >
> Can't root just read/steal and even use sockets/fifos/pipes owned by
> all other users?  Any Kerberos credentials used on the local system
> would also be usable by root.

Yes, root can always get access to everything any user on the local
machine is doing. What gssapi protects against is someone having root
on a computer you do not use (or you no longer use when the person
gets root) from impersonating you and getting access to your data on
the common server.

	Bernhard R. Link
Reply to: